Loyalty Rewards Program Privacy Statement

This Statement sets forth the personal information protection principles in relation to Article 13 of the EU General Data Protection Regulation 2016/679 (also: GDPR), is made in relation to the Tommy Loyalty Rewards Program (Croatian, “Program nagrađivanja vjernosti Tommy”, also: Program), a promotional program organized by the company Tommy d.o.o., 93 Domovinskog rata, 21000 Split, Croatia (also: Tommy, Company) as the processor of Program Members’ personal information, which Program is available on the Internet address www.tommy.hr/program-vjernosti. This Statement forms an integral part of the Company’s Privacy Policy, setting forth detailed information regarding privacy protection in the Loyalty Rewards Program.

All changes to our Privacy Policy shall be published here.

The Company enables all of the Loyalty Program users to use various benefits offered by the Company through the Program upon registration and admittance. The Loyalty Rewards Program enables its members to accrue points and use them in the form of price discounts, take part in special promotions and use various other benefits. Users may become Program members by filling out and submitting printed applications available at all of the Company’s points of sale or by submitting online application forms available through the Company’s website at www.tommy.hr/program-vjernosti.

Members’ personal information shall be processed for the purposes of user registration and fulfilling contractual obligations, while some of the information (additional information and interests) shall be processed based on Members’ consent. The Company offers general and personalized promotions to Members tailored to their wishes and interests.

1. Data Processor’s Name and Contact Information

The Data Processor is the Tommy d.o.o. company with its seat at 93 Domovinskog rata, 21000 Split, Croatia.

The Data Protection Officer may be reached at zastita-podataka@tommy.hr.

The Company’s Internet pages may be found at: www.tommy.hr/program-vjernosti.

What Data is Processed and Why

2.1. At the time of entry into the Loyalty Rewards Program, in accordance with the Tommy Loyalty Rewards Program Terms of Use (also: Terms of Use), the following information is required:

  • Gender,
  • Full name,
  • Date of birth,
  • Address,
  • Electronic mail address,
  • Telephone number.

The information is required for the following reasons:

Gender – to address people correctly in Croatian and to adjust promotional materials (for example: programs aimed at women alone);

Full name, date of birth, address – to identify users and additionally screen persons below legal age from signing up for the Loyalty program, as well as to deliver membership cards to a user’s mailing address.

The date of birth is additionally used to create user age groups for the purpose of additional discounts and promotions tailored to certain age groups (for example: special retirement discounts or discounts for students).

The email address and telephone number are used to facilitate contacts with the User in case of application forms not being fully completed, as well as to deliver codes, vouchers and notices, or deliver any other type of promotional material by sending emails or SMS (text) messages.

The information listed above is gathered based on a contractual relationship resulting from the acceptance of the Terms of Use. During registration, a password-protected user account is created for each user. The user account is the basis for a Member’s registration and stores all information assigned to a Member’s login credentials. Members access their user accounts exclusively by using the web application at the address www.tommy.hr/program-vjernosti, which enables Members insights into their account balance, as well as the accrual and consumption of reward points. By accessing their user account, each Member independently edits their personal user profile. Members are not required to use the web application, but can obtain insights into their account balance by inspecting a printed receipt delivered at each purchase, in accordance with the Terms of Use.


3. User profile editing

3.1. Each Member may edit their user profile independently to supply additional information. This information is supplied on a voluntary basis, and each Member may share any additional information with the Company of their own volition. Examples of such additional information are answers to the questions: do you shop online, what store type do you prefer between markets, hypermarkets and supermarkets; how often do you shop: daily, weekly, monthly etc. A second group of additional information pertains to a Member’s interests, for example: are they interested in our hobby gardening program, pet program and other such programs.

This information is used to gain insights into Members’ preferences and interests in order to improve our service and expand the range of products we carry, as well as to inform our loyal Users in a timely manner regarding possible price discounts and to tailor promotional materials to their declared interests. The basis for collecting this information is a Member’s consent; by supplying the information, the Member consents to having the information processed, and the information can also be deleted in the same way.

By analyzing the information supplied, we establish possible links between one or more of a Member’s personal details and interests as it relates/they relate to our products. We use mathematical methods to establish such links, in order to then tailor product offers and promotions to Member’s desires and interests.

We make no decisions during automated data processing which relate to you (as per Article 22 Item 1 of the GDPR), whereas your consent, should you supply additional information, shall be the basis for defining your field of interest as a potential recipient of customized, personalized promotional messaging. Fields of interest shall be based on card use information (purchase history, type of goods bought, frequency and money value of each purchase) as well as gender and age information. In order to gauge the efficacy of promotional messaging, we note which message was sent to you and which products you bought, as well as when and how often you buy them, and also your payment methods. Purchase location is another segmentation criterion. Based on all these factors we determine the types of future customized messaging we may send you. For example, the data described above may allow us to determine, based on your shopping habits, what times or what frequency is the most appropriate for tailored promotional messaging, and which product groups to use.

Members may revoke their consent to process additional information and interests at any time, by simply deleting the information from their User Profile. After such an act of consent withdrawal, all information obtained about a Member through analytical work is erased in a secure manner. The Member will no longer be sent personalized promotions tailored to their desires and interests, but only basic notices and non-personalized promotions and notices in accordance with the Terms of Use.

4. Technical and Organizational Data Protection Measures

The Processor shall apply adequate technical and organizational measures to protect the personal information as well as the integrity of the processing itself. In addition to work environment safety measures, we apply communication channel encryption by using the SSL (Secure Socket Layer) protocol.

The Processor shall process personal information in collaboration with various Executors in the field of information technology, namely renowned Croatian companies with substantial experience in the area. These Executors have been carefully vetted and contractually bound to protect the integrity of the information in accordance with Article 28 of the GDPR.

Your data shall not be forwarded to external entities nor transported outside the European Economic Area. The sole exception to this may be in response to demands issued by the Croatian supervisory body (known as AZOP) or compliance with requests originating from judiciary agencies.

Personal information shall be stored and processed throughout the period of active Loyalty Program Membership. Incomplete printed application forms which do not contain a legible communication method are destroyed immediately in a secure manner. Incomplete printed application forms with additional amendments (related to basic info) received via electronic mail shall be stored for 4 (four) months from the day a permanent membership card was initially used. Completed printed application forms shall be stored for 4 (four) months from the day a permanent membership card was initially used.

Upon membership termination, a Member shall be marked as an Inactive User in the system. From the moment a Member is marked inactive, they shall no longer receive promotional materials, discount notices and similar. An Inactive User’s information is erased in a secure manner.


The Company’s Internet pages use a technology known as cookies in order to simplify the use of our pages and enable the use of certain functions.

A User may adjust their browser software so that our cookies are not archived on their device, however doing so may result in the loss of functionality of said web pages. More about cookies can be found under “Cookie Policy” on the page www.tommy.hr/program-vjernosti.

5. Applicants’ Rights

All our applicants are granted full rights guaranteed by the GDPR. These rights are as follows:

  • Right of Access,
  • Right to Correction,
  • Right of Deletion (“Right to Forget”),
  • Right to limit processing,
  • Right to transfer data,
  • Right to object,
  • Right to object to decisions based exclusively on automated processing.

Please note these Rights are not absolute. Depending on the context, legal basis to data processing or the lack thereof, exercising certain rights may be impossible. We undertake to inform you in an appropriate manner should such a situation arise. Members may at any time direct any queries they may have regarding their personal information to the Data Protection Officer at the email address zastita-podataka@tommy.hr.

Applicants may exercise their rights in

the following ways:

  • In person at the Company seat at the address 93 Domovinskog rata, 21000 Split, Croatia, or
  • By mailing a request labeled Data Protection Officer, or
  • Emailing the address zastita-podataka@tommy.hr.

Note: the identity of a person making such requests must be ascertained.

  • if using registered mail, please attach a legible copy of your identification documents, as well as a letter of authority if applicable,
  • if you are coming in person, please have identification documents with you, as well as a letter of authority if applicable.

Additionally, applicants have the right to submit complaints to the Croatian regulatory body – the Personal Information Protection Agency (Croatian, “Agencija za zaštitu osobnih podataka” or AZOP): 130 Selska cesta, 10000 Zagreb, telephone +385 (0)1 4609 000, azop@azop.hr.

6. Final Notes

The Tommy d.o.o. company cares for your needs and your personal information, and cares about your opinion. Please feel free to reach out to us any time at 93 Domovinskog rata, 21000 Split, Croatia, or at the Data Protection Officer’s email address at zastita-podataka@tommy.hr.

In Split, November 2, 2021.

Version 1.00