Privacy policy

Version 1, March 2022, Hvar

We are ZORI, hospitality trade, owned by Iva Tomlinović, Hvar, Palmižana
19, PIN 2339068645 (hereinafter: "ZORI").


If you have any questions regarding our processing and protection of your personal data, as well as questions regarding this Privacy Policy, please feel free to contact us in writing at the address of our headquarters or by e-mail at: gdpr@zori.hr.


We will inform you about changes and/or additions to the information in the Privacy Policy in a timely manner and via our website.

In order to fully understand this Privacy Policy, we kindly ask you to carefully read the definitions of the terms listed below:

General Regulation means REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of the 27th of April 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation);

Processing means any operation or set of operations carried out on personal data or on sets of personal data, whether automated or non-automated, such as collecting, recording, organizing, structuring, storing, adapting or modifying, finding, inspecting, using, detecting by transmission, disseminating or otherwise making available, harmonizing or combining, restricting, deleting or destroying;

Personal data means all data relating to an individual whose identity has been established or can be established (respondent);

Respondent means an individual whose identity has been established or can be established; an identifiable individual is a person who can be identified directly or indirectly, in particular by means of identifiers such as name, identification number, location data, network identifier or by one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of that individual;

Controller means a natural or legal person, public authority, agency or other body which alone or together with others determines the purposes and means of processing personal data;

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Recipient means a natural or legal person, public authority, agency or other body to which personal data are disclosed, whether a third party or not;

Third party means a natural or legal person, public authority, agency or other body other than the respondent, controller, processor or persons authorized to process personal data under the direct authority of the controller or processor;

Consent of the respondent means any voluntary, special, informed and unambiguous expression of the respondent's wishes by which he gives his consent or processing of personal data relating to him by a statement or clear affirmative action;

Violation of personal data means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed;

Supervisory authority means an independent public authority established by a Member State; in the Republic of Croatia, it is the Agency for Personal Data Protection (AZOP), Selska cesta 136, 10 000 Zagreb, Croatia.

In order to protect the persons and property of ZORI, we collect and process your personal data through video surveillance, based on the legal basis of legitimate interest (Article 6,(1) (f) of the General Regulation). Video surveillance is installed at all entrances to the restaurant, and at the entrances to the kitchen, bar and warehouses. Prior to entering the recording perimeter, warning notices were set up, which contain all important information regarding the processing of personal data via video surveillance.

The recordings may be provided to the competent authorities on request (for example the police) if necessary for the conduct of proceedings under applicable regulations.

Recordings obtained through video surveillance are kept for a maximum of 6 (six) months, unless the applicable regulations define a longer retention period or if they are evidence in court, administrative, arbitration or other equivalent proceedings.

We use cookies on our website www.zori.hr. For more information on the cookies we use and how to manage these cookies, please read our Cookie Policy.

ZORI has accounts on some social networks, which can be accessed (among other things) through links on our website.

For now, we have open accounts on the following social networks: https://www.instagram.com/zori.timeless/ and https://www.facebook.com/zori.timeless/

Our website contains links that lead to our accounts on social networks, whose privacy policies may differ from ours. All information you provide through the social network, as well as all communication that takes place through the social network is at your own risk. ZORI is not responsible for the actions of social network users, nor for the actions of the social network itself. Your interaction with the social network in relation to the processing of your personal data is governed by the privacy policy of that social network.

ZORI uses legitimate interest as the legal basis for certain processing of your personal data. In the previous sections of this Privacy Policy, we indicate for which categories of respondents and personal data and for which purposes we use a legitimate interest as a legal basis.

Prior to the processing of your personal data whose legal basis is our legitimate interest, we take into account your interests and fundamental rights and freedoms, as well as your reasonable expectations about the processing of personal data in our relationship.

Our legitimate interest may vary, depending on which business process is needed, that is which process of personal data processing we are using.

If the provision of personal data is your legal or contractual obligation or condition necessary for the conclusion of the contract, we will clearly inform you at the place of collection of your personal data whether the provision of personal data is mandatory or not, and what are the possible consequences if you do not provide personal data.

In the event that we disclose your personal data to recipients, we take care that we have a valid legal basis and that the business of the recipient of your personal data is in accordance with the General Regulation and other regulations on personal data protection. Also, when applicable, relations with recipients regarding the processing and protection of personal data are regulated in detail by a special contract (in addition to the basic contract).

Recipients of your personal data, among others, can be our processors, who provide us with services necessary for our daily business, such as our external associates who provide us with additional operational support such as maintenance and upgrades of information systems and software solutions, development and maintenance our website and the like.

Recipients of your personal data may, among others, be other independent processors, who provide us with services important to our lawful business and other services necessary for our day-to-day operations, such as providers of services complying with applicable regulations such as legal advice. tax consulting, auditing and the like.

The recipients of your personal data may, among others, be the competent authorities acting within the scope of their legal powers and may process your personal data on the basis thereof. ZORI has a legal obligation to disclose your personal data to the competent authorities as recipients of your personal data (conducting surveillance, conducting inspections, setting or defending legal claims, etc.).

When using certain tools (functionalities) on our website, which we need for our regular business and daily tasks, the transfer of your personal data to third countries may occur. The country to which your personal data may be transferred is the United States of America. The European Commission and the United States of America have reached an agreement in principle on a new transatlantic framework for personal data protection, which should enter into force soon - read more at: https://ec.europa.eu/commission/presscorner/detail/hr/ip_22_2087.

Currently, in the case of a transfer, we use two steps to authorise the transfer in question. The first step consists of identifying the legal basis of the transfer (your consent), while the second step provides additional measures to protect the transfer, all in accordance with the provisions of Chapter V of the General Regulation.

ZORI implements appropriate technical and organizational measures to protect your personal data when determining the means and methods of processing and during the processing itself, taking into account the latest achievements, implementation costs and the nature, scope, context and purposes of processing.

We are constantly reviewing and improving all our technical and organizational measures to ensure that they are appropriate and up-to-date.

We divide our technical and organizational measures into three groups: measures to ensure confidentiality, measures to ensure integrity and measures to ensure the availability of personal data, and the resilience of our processing systems.

Measures to ensure the confidentiality of your personal data include, but are not limited to, general physical access control, general logical access control, special access control to personal data, separation of personal data and the like.

Measures to ensure the integrity of your personal data include, but are not limited to, control in the case of personal data transfer, control when entering personal data into our processing systems and the like.

Measures to ensure the availability of your personal data and the resilience of our processing systems include, but are not limited to, availability control, resilience of our processing systems, periodic audits, assessments and evaluations of our business in relation to personal data protection and the like.

The retention periods of your personal data vary depending on the categories of personal data we process, the purposes and legal bases of the processing of your personal data (criteria we use when calculating the period of storage of personal data). We also always keep the retention period of your personal data to a minimum (the "retention period limitation" principle).

Below are the general retention periods defined by the legal basis for the processing of your personal data, but please be aware that the subject periods may vary depending on the specific processing situations.

If you would like more detailed information about the retention periods of your personal data, you can contact us at our contacts listed in the first point ("Our Information”) of this Privacy Policy.

When the applicable regulations define the period in which we are obliged to retain your personal data, we retain them in the period provided by the applicable regulations and delete them in an additional period of 1 (one) month.

When we have signed a contract with you and when there is no applicable period defined by applicable regulations in which we are obliged to retain your personal data, we retain them for the entire duration of our contractual relationship and delete them within an additional period of 1 (one) month from the date of termination.

When we process your personal data based on the legal basis of our legitimate interest, we retain it for the entire period of our legitimate interest and delete it after an additional period of 1 (one) month from the termination of our legitimate interest.

When we process your personal information based on your consent, we store it until you withdraw your consent. When you withdraw your consent, we will delete your personal data as soon as possible. If you have given us your consent for a certain period, at the end of the period in question, we will delete your personal data as soon as possible.

Certain business documents that may contain some of your personal data (for example, contracts, contract annexes, statements, certificates, etc.) are stored permanently as part of our business documents or for a longer period as proof of the existence and termination of our relationship and for setting, exercising and defending against legal demands.

As a respondent whose personal data we process, you have the right to exercise the rights listed and described below. However, you can exercise some rights only under certain conditions in accordance with the provisions of the General Regulation, so those would be exceptions to the exercise of rights. For example, you cannot exercise the right to erasure under certain conditions defined in Article 17 (3) of the General Regulation and the like.

You can exercise your rights by sending a request to our e-mail address gdpr@zori.hror by sending it by mail/ delivering in person to the address of our headquarters - Palmižana 19, Hvar, Croatia.

In order to be able to act on your request and provide you with accurate and complete information as soon as possible, please make your request contain the following: necessary information about your identity (name, surname, OIB, etc.), name of rights you want to exercise, detailed description of your request and contact information to which you would like us to send our response.

When applying for the exercise of rights, in case of reasonable doubt about your identity, we have the right to ask you to provide additional information necessary to confirm your identity.

We will respond to your request within one month from the date of receipt of your request. We may extend the deadline by an additional 2 (two) months if it is a complex request or there are more than one of your requests. We will inform you in time about the extension of the deadline for responding to your request and the reasons for the extension.

Right to access information - as a respondent, you have the right to ask us to confirm whether we are processing your personal data and, if we are processing it, access to your personal data and relevant information in relation to them. We also provide you with a free copy of your personal data that we process, if this does not adversely affect the rights and freedoms of others.

Right to correction - as a respondent whose personal data we process, you have the right to obtain a correction of your inaccurate personal data. Taking into account the purposes of processing, you have the right to request the amending of your incomplete personal data, including by giving an additional statement.

Right to erasure ("right to forget") - as a respondent whose personal data we process, you have the right to obtain the erasure of your personal data if one of the conditions of Article 17 (1) of the General Regulation is met. Please note that the right of erasure cannot be exercised under certain conditions defined in Article 17 (3) of the General Regulation.

Right to limit the processing - as a respondent whose personal data we process, you have the right to obtain a restriction on the processing of your personal data if one of the conditions of Article 18 (1) of the General Regulation is met.

Right to portability - as a respondent whose personal data we process, you have the right to receive your personal data in a structured, commonly used and machine-readable format and transfer it to another controller if the processing of your personal data is based on consent or contract and processing is automated.

Right to withdraw consent - as a respondent whose personal data we process on the basis of consent as a legal basis, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of the processing of your personal data on the basis of consent before its withdrawal.

Right to object - as a respondent whose personal data we process, you have the right to object to the processing of your personal data based on your special situation, which we process based on our legitimate interest and/or for direct marketing purposes, including profile creation.

The right to object to the supervisory authority - as a respondent whose personal data we process, you have the right to object at any time to an independent public authority for the protection of personal data. The independent public authority in the Republic of Croatia is the Personal Data Protection Agency (AZOP) with its registered office at Selska cesta 136, 10 000 Zagreb, Croatia. You can contact AZOP by e-mail at azop@azop.hr, by calling 00385 (0) 1 4609-000 or in writing at the registered office address. More information about AZOP can be found on their website www.azop.hr.