HR
HR
Information on Personal Data Processing via Online Platforms
Zagrebačka banka d.d. respects your right to personal data protection and its website www.zaba.hr uses technologies that provide a better and safer online experience. Please read this information to understand how and why we process your personal data via online platforms including our official website (www.zaba.hr). In addition, below please find specific information with regard to our business profiles on social network (e.g., Facebook, LinkedIn, Instagram, TikTok, etc.).
Further information with regard to the processing of personal data in connection with the supply of products and services will also be provided to you via specific web forms that you access and through which you provide your personal data, as well as specific Personal Data Processing Information (for example, for the purpose of scheduling a video conference or a meeting at one of our branches).
Generally, further information regarding personal data processing in the context of Zagrebačka banka d.d.’s business activities is available on our official website under “Personal Data Processing“.
1
Controller and Data Protection Officer
CONTROLLER
Zagrebačka banka d.d., OIB (Tax ID No.): 92963223473, having its registered office at Trg bana Josipa Jelačića 10, 10000 Zagreb, Republic of Croatia (hereinafter referred to as the Bank) is the controller
email: zaba@unicreditgroup.zaba.hr
tel.: 01/3773 333
DATA PROTECTION OFFICER
Our Data Protection Officer is available to you at:
email: sluzbenik.za.zastitu.osobnih.podataka@unicreditgroup.zaba.hr
2
Processing of Personal Data
This part explains the following:
Personal data being processed and how the Bank collects your personal data
As regards the use of the Bank’s website or communication on social networks or other online platforms (e.g., posting comments concerning the Bank, i.e. your interaction with the Bank’s social network business profiles), we process information concerning you as a natural person, which allow us to identify you directly or in combination with other information („personal data”).
Source of personal data
Such data are collected directly from you as you enter/provide them or result from the processing of information concerning your activities on online platforms (as detailed below).
Legal grounds on and purposes for which the Bank processes the personal data it collects
Depending on your use of online platforms, their technological capabilities and tools and your tracking choices (e.g., cookies accepted/blocked, etc.), your business needs and obligations, the Bank process all or some categories of personal data. For more information, below please find explanations and examples of data that the Bank processes.
The information you provide us with
The Bank collects this information when you decide to provide it (e.g., when you request that the Bank contact you in connection with a particular service/product or voluntarily provide your contact details), for example via an online chat, in a “Schedule a Meeting” form, in a “Complaints”, “Suggestions” or “Praise” form, etc.
Whenever you contact our employees via an online chat or a web form on the Bank’s website and request assistance or ask a question, your data are processed to allow us to answer your questions or provide you with the services you request (e.g., when you ask to schedule a meeting, etc.) and to allow the Bank to contact you if necessary and address your requests or queries. In that case, such processing is necessary to allow you to exercise one of your rights guaranteed by the applicable regulations (e.g., to have your complaint responded to) or for the purpose of performing a contract with you or to take steps at your request prior to entering into a contract.
Please note the data designated as required. If you, as a user, fail to provide such required information to allow us to perform an activity you have requested or expect to be performed, such activity will not be feasible (e.g., if you fail to provide any data necessary for scheduling a meeting).
In addition, whenever you contact us, e.g., via a social network where the Bank maintains its profile, we will collect the data you provided us with when making your query or request for the purpose of responding to your query in the context of performing a contract with you or taking steps at your request or if such processing is necessary to allow you to exercise a right you have under the applicable regulations (the Bank is required to respond to each complaint).
Therefore, the personal data you provide are collected via online platforms for various purposes.
If such processing is necessary to perform a contract (or take steps prior to entering into a contract) or to comply with a legal obligation, and the data are processed via online platforms (e.g., data collected via a web form), the data subject is required to provide his or her personal data. If the data subject refuses to provide any required data, the Bank may refuse to enter into a contractual arrangement with you or may not be able to comply with specific obligations (as applicable).
Consequences of failure to provide data
In addition, if data are being processed on the basis of legitimate interest, e.g., in connection with the provision (or continued provision) of any of the Bank’s services, such data are deemed necessary for the purpose of pursuing legitimate interests. The Bank always ensures that such processing is only carried out if, based on its assessment of such legitimate interest, such interests of the Bank are not overridden by the interests or fundamental rights and freedoms of the data subject. In addition, the data subject may lodge a complaint in relation to such personal data processing based on legitimate interest.
Data we collect via cookies and other similar tools (hereinafter referred to as cookies)
The operation of our website includes the use of computing systems and software procedures collecting data on website users as part of its normal functioning, and such information is transmitted where internet communication protocols apply. Zagrebačka banka collects data about the type of device (computer, mobile phone, tablet, TV, etc.) being used to access our website via cookies and other technologies (data layer). These data include your IP address, details of your hardware, app version and language settings, browser type, time of access and website addresses, your location (country) and information about your activities on our website (e.g., the pages you visit, the products you browse – information about your clicks and your access to www.zaba.hr).
The Bank also collects and processes data to improve its website and its contents and to provide you with information and advertisements relevant to you and your interests, which is possible after enabling cookies that are not necessary (e.g., statistical or marketing cookies). For example, to suggest tailored offers that in which you may be interested or to provide you with information about other websites/services the Bank believes may be interesting to you (e.g., about the Bank’s legal entities or partners).
To enable any cookies other than the necessary cookies, we need your prior consent. You are not required to give your consent to such cookies and may withdraw it at any time without detriment.
Please find further information about cookies here, as well as your consent that you can later withdraw by changing the settings via this link.
No consent is required to enable necessary (technical) cookies as they are used to ensure that our website functions in a proper and secure way (to ensure proper operation of the website and detect any error in and/or abuse of the website). Without such cookies, some parts of the website will not function properly. These cookies are preconfigured and may not be disabled in the settings – please find further information on which cookies are considered necessary here.
Furthermore, most browsers include the “Do Not Track” feature which allows users to send a request without being tracked (e.g., for analytics or profiling).
Please note that the “Do Not Track” option will not be enabled until your first access after enabling it on your device.
Use of online platforms (e.g., social networks) and other tools to collect information concerning the Bank’s business activities
For the purposes of statistical analysis, gathering information about impressions and expectations of people using our products or services and measuring the use of our website, the Bank collects information using technological capabilities made available by different online platforms and other service providers. For example, the Bank’s website (www.zaba.hr) uses certain statistical tools such as Adobe Analytics (hereinafter referred to as Adobe). Adobe Analytics uses the JavaScript code implemented on the website to collect information on visitors. When a visitor accesses our website, JavaScript records information such as the number of visits, pages browsed, time spent on the website, source of visit, and plenty of other relevant information.
Adobe Analytics is a tool designed for analyzing websites, which allows organizations to track and analyze the behavior of people visiting their websites. The data collected and processed by Adobe include unique identifiers, browser type and settings, device type and settings, operating system, mobile network details and the app version number. These cookies allow them to track user activities to gather information about their activities, navigation and interactions, including the IP address, system activity, and date and time.
Adobe is able to anonymize data that may be used by organizations to ensure that user data remain protected. These options allow data collection and analysis without revealing a user’s identity.
Furthermore, Adobe collects information regarding website interactions, including the IP address, system activity, date and time and URL suggestions as may be requested by the data subject.
The Bank also uses services offered by Facebook, YouTube, Instagram, LinkedIn, TikTok and X where it maintains its business profiles containing links to third-party websites.
Third-party owners of online platforms define their own personal data processing processes and determine which information will be registered on servers (e.g., Facebook, LinkedIn, etc.) in relation to your online platform posts, interactions or communication, as well as your activities regarding the relevant contents (e.g., reactions to contents such as “Like”, “Share”, “Comment”, etc.).
This Information does not apply to services and third parties that have separate privacy policies, i.e. personal data processing information. Further information about their policies and how they use your personal data is available at:
Social Media Contact Information
If you would like to contact any of the online platforms where the Bank maintains its business profiles for the purpose of exercising your rights or asking questions regarding their data collection or processing activities, you can contact them using the following details:
META PLATFORMS IRELAND Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Facebook’s Data Protection Officer:
dpfinquiry@support.facebook.com
Instagram’s Data Protection Officer:
https://www.facebook.com/help/contact/540977946302970
You can also contact the Irish Data Protection Commissioner or the Personal Data Protection
Google Ireland, Ltd., Gordon House Barrow St, Dublin 4, Ireland
You Tube’s Data Protection Officer:
https://support.google.com/policies/contact/general_privacy_form
You can also contact the Irish Data Protection Commissioner or the Personal Data Protection
LINKEDIN IRELAND UNLIMITED COMPANY
Attn: Legal Dept. (Privacy Policy and User Agreement), Wilton Plaza, Wilton Place, Dublin 2, Ireland
LinkedIn Data Protection Officer:
https://www.linkedin.com/help/linkedin/ask/TSO-DPO
You can also contact the Irish Data Protection Commissioner or the Personal Data Protection
X International Unlimited Company
Attn: Data Protection Officer, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland
X Data Protection Officer:
https://x.com/en/privacy
You can also contact the Irish Data Protection Commissioner or the Personal Data Protection
TikTok Technology Limited
10 Earlsfort Terrace, Dublin, D02 T380, Ireland
TikTok Information Technologies UK Limited
Kaleidoscope, 4 Lindsey Street, London, United Kingdom, EC1A 9HP
TikTok Data Protection Officer:
privacy@tiktok.com i tiktok.com/legal/report/DPO/hr
You can also contact the Irish Data Protection Commissioner or the Personal Data Protection
3
Withdrawal of consent
Consent can be withdrawn at any time without affecting the lawfulness of processing based on such consent prior to its withdrawal. In addition, the data subject may withdraw his or her consent without detriment. At the time of giving his or her consent, the data subject will be informed of how he or she can withdraw it.
4
Are personal data shared with third parties
Subject to maintaining confidentiality, the Bank may share your data with its reliable partners (mainly processors or sub-processors or specific controllers) for specific purposes: statistical analysis, provision of technical or IT support, or other similar purposes.
In addition, the Bank will share your data with another recipient (e.g., a supervising/inspecting regulator, etc.) if legally required to do so or on any other legal grounds binding upon the Bank.
5
Transfer of data beyond the European Economic Area
If it is necessary to transfer your personal data to a country outside the European Economic Area (third country) for which no adequacy decision of the European Commission is in place, such transfer shall be carried out using appropriate safeguards (including for example but not limited to standard data protection clauses laid down by the European Commission and available on the European Commission’s website, ensuring that enforceable rights and effective remedies remain available to data subjects). Data may be transferred to a third country if the European Commission finds such country to guarantee an appropriate level of protection (adequacy decisions – further information is available on the European Commission’s website).
The Bank will only transfer your personal data to a third country to the extent necessary and in compliance with the applicable regulations or on any other legal grounds binding upon the Bank.
Please note that when you, for example, provide your data via a social network, the third party operating such social network may transfer your data to a third country beyond the EU/EEA (e.g., if they store information on servers located in such country or allow access to persons located in third countries) where they are processed according to the regulations applicable in such country and the privacy policies implemented by such third-party operators of social network platforms.
6
For how long does the Bank retain personal data
Normally, the Bank will only store your personal data for as long as necessary to fulfill a particular purpose, i.e. for as long as prescribed.
The consent to data collection (cookies) is given via a pop-up and renewed 12 months after your last acceptance or denial of specific cookies. The time during which your personal data collected via cookies will be stored depends on the duration of the cookies – they will remain stored until the user deletes them on their device or changes the cookies settings on the Bank’s website, provided that the evidence of consent to cookies is retained for 12 months after the date such consent is given.
After such periods expire, the data will be erased and/or anonymized, except for data that the Bank must retain longer in case a dispute arises and/or the Bank needs to process such data to establish or defend a legal claim, in which case such data will be stored longer, i.e. for as long as the purpose of their processing exists (e.g., pending completion of proceedings) or for as long as prescribed in each case.
7
Rights of data subjects
Each data subject whose personal data are processed by the Bank as the controller is entitled to demand the exercise of the following rights:
The right of access
according to Article 15 of the General Data Protection Regulation
Allows the data subject to know whether or not personal data concerning him or her are being processed and obtain from the Bank confirmation as to whether or not personal data concerning him or her are being processed, the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients, the envisaged period for which the personal data will be stored, etc.
The right to rectification
according to Article 16 of the General Data Protection Regulation
Allows the data subject to demand that any inaccurate or incomplete personal data concerning him or her be rectified.
The right to erasure
according to Article 17 of the General Data Protection Regulation
Allows the data subject to demand that personal data concerning him or her be erased, however, the Bank is not allowed to erase such data subject’s personal data if their processing is necessary (e.g., for compliance with a prescribed duty of confidentiality or for the establishment, exercise or defense of legal claims).
The right to restriction of processing
according to Article 18 of the General Data Protection Regulation
Allows the data subject to demand that the processing of his or her personal data be restricted if the accuracy of the personal data is contested by the data subject, if the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead, or if the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
The right to personal data portability
according to Article 20 of the General Data Protection Regulation
Allows the data subject to receive the personal data concerning him or her (and to have such data transmitted directly to another controller). Please note that the right to portability only applies to the data subject’s personal data that he or she has provided to the Bank in a structured, commonly used and machine-readable format, if the processing is based on consent (with regard to personal data or specific categories of personal data) or on the performance a contract to which the data subject is a party or on taking steps prior to entering into a contract at the request of the data subject, provided that such right does not adversely affect the rights and freedoms of others.
The right to object
according to Article 21 of the General Data Protection Regulation
Allows the data subject to object to the processing of personal data, e.g., if the processing is necessary for the purpose of pursuing legitimate interests of the Bank (including profiling). The Bank shall no longer process the personal data unless the Bank demonstrates compelling legitimate grounds for the processing (grounds which override the interests, rights and freedoms of the data subject) or for the establishment, exercise or defense of legal claims.
The right to lodge a complaint with a supervisory authority
according to Article 77 of the General Data Protection Regulation
Allows the data subject to lodge a complaint with a supervisory authority.
If you would like to exercise any of the above rights or if you have any questions, please contact us at: zaba@unicreditgroup.zaba.hr, weburednik@unicreditgroup.zaba.hr or contact our Data Protection Officer at: sluzbenik.za.zastitu.osobnih.podataka@unicreditgroup.zaba.hr
We will send our response to your request within one month of receiving it. As an exception, this period may be extended for two more months in case of complex or multiple requests, of which we will notify you.
Lodging a complaint with the competent supervisory authority
You can also lodge a complaint regarding the processing of personal data by the Bank as the controller with the competent personal data protection authority, i.e. the Personal Data Protection Agency, Ulica Metela Ožegovića 16, 10000 Zagreb (e-mail: azop@azop.hr, phone: 01 4609 000).
8
Modifications and updates
If necessary, the Bank will update and modify this Information and the cookie notice to provide you with new important information and to keep you informed of the processing of your personal data, which is why we recommend you periodically check for updates
Last updated 28 February 2026.