Tommy Online Sales Privacy Policy

This Policy sets forth data protection principles in accordance with the EU General Data Protection Regulation (EU 2016/679) passed by the European Parliament and the Council of Europe on April 27, 2016 (also: GDPR) and the Croatian General Data Protection Regulation Implementation Act (Croatian, “Zakon o provedbi Opće uredbe o zaštiti podataka,” N.N. 42/2018.)

The Tommy Online Sales System is an online sales system managed by the Tommy company with its seat at 93 Domovinskog rata, 21000 Split, Croatia (also: Tommy or Company) as the processor of personal information on behalf of its Registered users. This Policy forms an integral part of the Company’s Privacy Policy, and pertains to Tommy online sales as described in the document titled General Tommy Online Sales System Terms of Use (Croatian, “Opći uvjeti za korištenje sustava Tommy online prodaje”) published on November 2, 2021.

We shall publish all changes to our Privacy Policy here as well.

The Tommy Online Sales System (also: Tommy online sales) is made available by the Company to all prospective users via the Internet pages at or by using the Tommy mobile application (also: Tommy mobile app) for the purpose of fast, simple and secure online shopping.

The Company processes all Registered Users’ and Clients’ personal information for the purposes of Tommy online sales, for the purpose of managing the system and to fulfill contractual obligations. The Company, while managing Tommy online sales, processes the personal information supplied by Registered Users when applying (either through browsing the Company’s website or by using the Tommy mobile app) as well as the information gathered about the Registered User through their use of Tommy online sales.

1. Data Processor’s Name and Contact Information

The Data Processor is the Tommy d.o.o. company with its seat at 93 Domovinskog rata, 21000 Split, Croatia.

The Data Protection Officer may be reached at

The Company’s Internet pages may be found at:

2. What Data is Processed and Why

At the time of registering for the Tommy Online Sales System, in accordance with the Tommy Online Sales Terms of Use (also: Terms of Use), the following information is required:

For individuals:

  • Full name,
  • Date of birth,
  • Gender,
  • Mobile phone number,
  • Electronic mail address,
  • Delivery address.

If a Client demands that a R-1 business receipt be issued, the following information regarding the business entity is required:

  • Business entity’s owner’s full name (or company name)
  • Address,
  • Postal code,
  • Town,
  • Country,
  • Business entity’s OIB (tax number.)

The information pertaining to individuals is required for the following reasons:

Full name, date of birth, address – to identify users, make deliveries and additionally screen persons below legal age from participating in Tommy online sales;

Gender – to address people correctly in Croatian;

The date of birth is additionally used to create user age groups for the purpose of additional discounts and promotions tailored to certain age groups (for example: special retirement discounts or discounts for students).

The email address and telephone number are used to facilitate contacts with Registered Users in case of order forms not being fully completed, goods ordered not being fully available, delivery of order reception notices, delivery of payments and other notices pertaining to the process of ordering, paying for and delivering goods.

The information required for business entities is required for the following purposes:

Business entity’s owner’s full name (or company name), address, postal code, town, country, owner’s or company’s OIB or tax number – required to issue a R1 business receipt.

The above information for individuals and business entities is gathered based on a contractual obligation resulting from the acceptance of the Terms of Use. At the time of registering for Tommy online sales a password-protected user account is created for each user. The user account forms the basis of a user’s registration and encompasses all information assigned to the user’s login credentials. Registered Users access their user accounts exclusively through browsing the Company’s website at or by using the Tommy mobile app. Registered Users independently edit their personal user accounts. Personal information entered during an unsuccessful registration attempt, for example in cases where Users do not accept the Terms of Use, shall be stored in the system for 7 (seven) days in order to facilitate the completion of the registration process, after which time they shall be irrevocable erased in a secure manner.

In cases where deliveries to Clients are made by Acting Couriers, in order to fulfill contractual obligations and render services ordered, the Acting Courier must gain access to certain personal information pertaining to the Client. The Company shall notify Acting Couriers the following personal information categories: full name, address and address details, order number and receipt. The Company and the Acting Courier shall each be considered separate processors of personal information, registered and licensed to perform their economic activity, with regards to personal information protection.

3. User Account Editing

Each Registered User shall edit their user account independently, and thus be allowed to browse their order history, past or canceled orders, price discounts, products listed as favorites, as well as to enable a “save card” option for card payments. If the User is additionally a Loyalty Rewards Program member, they may also oversee their account balance for rewards points accrued and consumed.

The Company undertakes to deliver notices to all Registered Users via email containing news and weekly price discount info, while promotional electronic bulletins or newsletters shall be delivered only to the Registered Users who have opted into receiving them.

These additional options enable the Company to inform its loyal Clients in a timely manner regarding possible price discounts and promotional offers tailored to their interests, aimed at increasing Client satisfaction.

We make no decisions during automated data processing which relate to you (as per Article 22 Item 1 of the GDPR), but instead analyze only non-personal information collectively segmented according to gender, age groups, product categories and purchase times. This data is analyzed in order to gauge the efficacy of promotional messaging, popularity of product categories as well as purchase patterns among our clients. Purchase location is another segmentation criterion. This criteria helps us to determine which goods to carry in the future and what times and product categories should be included in the news and price discounts delivered to you. We analyze only non-personal information.

4. Technical and Organizational Data Protection Measures

The Processor shall apply adequate technical and organizational measures to protect the personal information as well as the integrity of the processing itself. In addition to work environment safety measures, we apply communication channel encryption by using the SSL (Secure Socket Layer) protocol.

The Processor shall process personal information in collaboration with various Executors in the field of information technology, namely renowned Croatian companies with substantial experience in the area. These Executors have been carefully vetted and contractually bound to protect the integrity of the information in accordance with Article 28 of the GDPR.

Your data shall not be forwarded to external entities nor transported outside the European Economic Area. The sole exception to this may be in response to demands issued by the Croatian supervisory body (known as AZOP) or compliance with requests originating from judiciary agencies.

Upon membership cancellation or loss of access to a Tommy sales user account in accordance with Article 5 of the Terms of Use, a Member shall be marked as an Inactive User in the system. From the moment a Member is marked inactive, they shall no longer receive promotional materials, discount notices and similar. An Inactive User’s information is erased in a secure manner.

5. Cookies

The Company’s Internet pages use a technology known as cookies in order to simplify the use of our pages and enable the use of certain functions.

A User may adjust their browser software so that our cookies are not archived on their device, however doing so may result in the loss of functionality of said web pages. More about cookies can be found under “Cookie Policy” at

6. Applicants’ Rights

All our applicants are granted full rights guaranteed by the GDPR. These rights are as follows:

  • Right of Access,
  • Right to Correction,
  • Right of Deletion (“Right to Forget”),
  • Right to limit processing,
  • Right to transfer data,
  • Right to object,
  • Right to object to decisions based exclusively on automated processing.

Please note these Rights are not absolute. Depending on the context, legal basis to data processing or the lack thereof, exercising certain rights may be impossible. We undertake to inform you in an appropriate manner should such a situation arise. Members may at any time direct any queries they may have regarding their personal information to the Data Protection Officer at the email address

Applicants may exercise their rights in the following ways:

  • In person at the Company seat at the address 93 Domovinskog rata, 21000 Split, Croatia, or
  • By mailing a request labeled Data Protection Officer, or 
  • Emailing the address

Note: the identity of a person making such requests must be ascertained.

  • if using registered mail, please attach a legible copy of your identification documents, as well as a letter of authority if applicable,
  • if you are coming in person, please have identification documents with you, as well as a letter of authority if applicable

Additionally, applicants have the right to submit complaints to the Croatian regulatory body – the Personal Information Protection Agency (Croatian, “Agencija za zaštitu osobnih podataka” or AZOP): 130 Selska cesta, 10000 Zagreb, telephone +385 (0)1 4609 000,

7. Final Notes

The Tommy d.o.o. company cares for your needs and your personal information, and cares about your opinion. Please feel free to reach out to us any time at 93 Domovinskog rata, 21000 Split, Croatia, or at the Data Protection Officer’s email address at

In Split, November 2, 2021.