Privacy policy

This Privacy Policy informs the user of this website how and which data we collect, who has access to and how we process such data, for which purposes it is collected and how we protect personal data.

In its business operations, the company CEI Zagreb d.o.o., as the Data Controller, is guided primarily by the compliance with all applicable laws and regulations relating to the protection of personal data of its employees, customers, debtors and persons related to them, as well as other persons whose personal data is processed for the purposes related to the business operations of the Data Controller.

The business activity of CEI Zagreb d.o.o. is focused mainly on the collection of outstanding claims, i.e. on providing debt recovery services based on a Subcontracting Agreement, Business Cooperation Agreement, etc., and for these purposes, personal data is collected and processed, i.e. internally, the personal data of the Data Controller’s employees is involved, as a result of which the need emerged to formulate a privacy policy, all within the provisions of the GDPR and related legislation.

This Privacy Policy formulated by the Company in accordance with the General Data Protection Regulation (REGULATION (EU) 2016/679 of 27 April 2016) does not diminish the rights and does not establish obligations for the users in relation to the processing of personal data, but is rather a unilaterally binding act of the Data Controller.

On our web user interface, the user is given access to the e-mail of the Data Controller, in which way the user himself initiates the delivery of his/her data to the Data Controller, whether in connection with inquiries related to the debt, information about business operations or inquiries related to the data protection.

CEI Zagreb d.o.o., as the Data Controller, in accordance with the GDPR collects and processes through this website the data that you have submitted to us via contact e-mail, including but not limited to:

  • Identifiers such as: name and surname, identification number, citizen’s registration number, date of birth, residence/temporary residence address, e-mail address, telephone number.
  • Financial data such as: amount of the contractual obligation, amount of payments made, number of current/giro account or another account used for the contract performance, number of issued outstanding invoice, contract number
  • Identifiers and financial data on the related persons: guarantors, co-debtors, heirs etc.
  • Statutory data: data on employment, social status, business solvency.

This Privacy Policy refers to the processing of personal data collected through the Data Controller’s website, voluntarily by the user.

The personal data shall be processed only to meet the purpose for which they are collected or provided, in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Only persons authorised by the Data Controller, i.e. persons who need the data to perform their work duties, shall have access to the users’ personal data.

Once the legitimate purpose for which the data has been collected has been met, there is no longer the need to process such data and they shall be anonymised or deleted, depending on whether positive legal regulations prescribe a specific time during which certain personal data or documentation which contains personal data should be kept. Until the expiration of that period, personal data shall be anonymised for archive purposes and kept in specially protected places (both in electronic and paper form) until final destruction.

We may receive your personal data from a third part. In that case, we will provide you with all relevant information about their processing as soon as possible, but no later than 30 (thirty) days after we received your inquiry regarding the categories of personal data that are being processed, the methods of collecting personal data, as well as the purpose and legal basis for collecting and processing personal data.

Every time you visit our website, your consent for using cookies will be required. Learn more about how we use cookies in our Cookies Policy.

Given the nature of our business and the methods of collecting and purpose of processing personal data, be it inquiries related to the debt, information about business operations or inquiries related to the data protection, we take full account of your rights as the user in accordance with the GDPR, namely:

  • Right to be informed with respect to the processing of your personal data in writing or, where applicable, by electronic means or at your verbal request, subject to prior unambiguous identification of the Data Subject. The Data Controller shall provide you with the requested information or notify you about the reasons for non-delivery of the requested information within 30 (thirty) days from the date of receipt of the request
  • Right of access to the personal data or right of information on the type of personal data relating to the Data Subject, the methods and purposes of processing, and the recipient of data, also information about the duration of the period in which the data are stored, and the right of obtaining a copy of the personal data undergoing processing
  • Right to rectification of inaccurate or incomplete personal data
  • Right to erasure of personal data or the so-called “right to be forgotten”, in which case the Data Subject has the right to obtain erasure of personal data processed by the Data Controller, subject to the conditions laid down in Article 17 of the General Data Protection Regulation, unless the Data Controller has a more substantial legitimate interest
  • Right to restriction of processing personal data, subject to the conditions laid down in Article 18 of the General Data Protection Regulation
  • Right to object to processing of personal data concerning him or her, which may be denied if the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject, or for the establishment, exercise or defence of legal claims, except in the case of direct marketing.

Legally relevant grounds for processing your personal data may be the following:

  • Consent –means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
  • Contract – means any contract to which the Data Subject is a party, i.e. the performance of which requires the processing of the personal data of the Data Subject
  • Legal obligations of the Data Controller – the purpose of processing personal data is based on the legal regulations requiring the Data Controller to process personal data
  • Data Subject’s essential interests – the data processing is in the interest of the Data Subject
  • Data Controller’s legitimate interest – means the interest that prevails over the Data Subject’s interest, unless the Data Subject is a child

The purpose of the processing itself depends on the type of legal basis for processing personal data, and is defined in the legal basis together with an indication of the categories of the Data Subject’s personal data, methods of processing, periods of storage of personal data, protective measures and safeguards of the processing, etc.

When you make your data available to us through a contact related to information about business operations, involving a legal entity, for the purposes of providing certain services, concluding a contract or making payments in accordance with the respective contracts, we may process your personal data such as identity/name data including the company registration number or identification number, business contact data, bank account and tax number, and in certain cases we process personal data such as the name and contact of your employees which are necessary for the execution of the contracted work or for negotiation the terms of business cooperation.

Access to your personal data is primarily granted to the Data Controller’s employees who need the data to perform their daily tasks. Other Data Controllers, Processors or Subcontracted Processors may also have the right to access and process your data, but on the basis of positive legal regulations, contractual provisions or a consent or substantiated legitimate interest. Everyone who has access to your personal data shall comply with the confidentiality obligation regarding the data. In order to protect personal data, appropriate technical and organizational safeguards have been set up and are being implemented. Employees are allowed to use personal data only to the extent that is required to perform their duties.

The collected data shall be stored in the European Union (EU) and the European Economic Area (EEA). We store your personal data on our servers, where we apply appropriate technical and organizational safeguards to protect your personal data and prevent unauthorized access. Once we receive your data, we use strictly controlled procedures and security measures to prevent unauthorized access.

Inquiries and objections with regard to the processing of your personal data can be sent to You will receive an answer to your inquiry within 30 (thirty) days from receipt thereof.

In the case our answer is not to your satisfaction, or you have objections to our handling of your personal data, you can contact the Croatian Personal Data Protection Agency in writing to the address: Selska cesta 136, Zagreb, or via email at:, or via phone at: 01 4609 000.