Privacy policy
© 2015.-2026. Studio Sonda d.o.o. All rights reserved

Privacy Policy

1. Introduction and Identity of the Data Controller

This Privacy Policy explains how (hereinafter “we” or “Controller”), based in the Republic of Croatia, collects, uses, and protects the personal data of users of our website (hereinafter “Data Subjects”). As the Controller, we determine the purposes and means of processing personal data and are responsible for processing in accordance with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).

Identity of the Controller:

  • Name: Studio Sonda d.o.o.
  • Registered Address: Vižinada 62, 52447 Vižinada, Croatia
  • Privacy Contact (Data Subject Requests): info@sonda.hr
  • Contact for Data Protection Officer (DPO): info@sonda.hr

2. Legal Basis and Purpose of Data Processing

We process your personal data solely based on the legal grounds defined in Article 6 of the GDPR. Collection takes place directly from you at the time of subscription to the newsletter.

A. Processing for Newsletter Purposes (Direct Marketing)

Purpose: Sending notifications, creative news, promotional materials of the studio, and invitations for collaboration (direct marketing).

Data Categories: Email address, IP address used during registration, timestamp of registration and confirmation (double opt-in), and language of communication.

Legal Basis (GDPR): Explicit Consent of the Data Subject (Article 6(1)(a)). Consent is evidenced by storing the IP address and registration timestamp.

Storage Criteria: Data is stored as long as the Data Subject does not withdraw their consent. After withdrawal of consent, data is deleted without delay. The Controller performs regular reviews of inactive subscribers (e.g., every three years) and deletes those whose processing purpose has ceased.

B. Processing for Technical Functioning and Website Security

Purpose: Ensuring network and IT system stability and security, diagnosing technical errors, and preventing malicious activities.

Data Categories: IP Address, browser data, Session ID, Date/Time of access (Server Logs).

Legal Basis (GDPR): Legitimate Interest of the Controller (Article 6(1)(f)). Our legitimate interest is the necessary maintenance of functionality and security of our digital services.

Storage Criteria: Server logs are stored only as long as necessary for the analysis of security incidents, up to a maximum number of days.

3. Cookies and Similar Tracking Technologies

We use strictly necessary cookies that are essential for the technical functioning of the website (e.g., session management, security settings). No consent is required for these cookies, but their purpose and necessity must be disclosed to you.

If we use any other types of cookies (e.g., analytical, marketing, performance) that are not strictly necessary, they will not be activated until we receive your explicit and informed consent via a Cookie Consent Banner. You have the right to refuse these cookies without affecting access to website content.

4. Data Recipients and International Transfer

A. Categories of Recipients

Your personal data may be transferred to the following categories of third parties (Processors) acting on our behalf and under our instructions:

  • Hosting and IT system maintenance service providers.
  • Email platform providers (Newsletter Service Provider).
  • Web analytics service providers (only with your consent).

We have Data Processing Agreements (DPA) in place with all Processors to ensure that your data is processed in accordance with the GDPR (Article 28).

B. International Transfer (Transfer to Third Countries)

If data must be transferred outside the European Economic Area (EEA), this is carried out exclusively with the application of appropriate safeguards, in accordance with Chapter V of the GDPR.

  1. Based on an Adequacy Decision (Article 45): The transfer takes place to a country or organization for which the European Commission has adopted an adequacy decision (e.g., commercial organizations participating in the EU-US Data Privacy Framework).
  2. Based on Appropriate Safeguards (Article 46): If no adequacy decision exists, the transfer is ensured by the European Commission’s Standard Contractual Clauses (SCCs). In this case, we perform a Transfer Impact Assessment (TIA) to ensure additional security measures against unauthorized access by third countries.

5. Data Subject Rights (Your Rights Under GDPR)

You have the right to exercise the following rights regarding your personal data at any time (Articles 15-22 GDPR). Requests are submitted in writing to our privacy contact email address. A response to your request will be provided without undue delay, and at the latest within one month of receiving the request.

  1. Right of Access (Article 15): You have the right to obtain confirmation as to whether or not your personal data is being processed, and to gain access to that data and information about the processing (purpose, recipients, storage period).
  2. Right to Rectification (Article 16): You have the right to have inaccurate personal data concerning you corrected and to have incomplete data completed.
  3. Right to Erasure (‘Right to be Forgotten’) (Article 17): You can request the deletion of your data, especially if your consent is withdrawn or if the data is no longer necessary for the purpose of processing.
  4. Right to Restriction of Processing (Article 18): You can request the restriction of processing your data under certain conditions prescribed by the GDPR.
  5. Right to Data Portability (Article 20): You have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
  6. Right to Object (Article 21): You have an absolute right to object to the processing of your personal data for direct marketing purposes. If you object, the Controller must immediately stop processing that data for that purpose.
  7. Right to Withdraw Consent (Article 7(3)): If the processing is based on your consent (newsletter), you have the right to withdraw consent at any time. Withdrawal of consent is easy, most commonly via the “unsubscribe” link in every email. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

6. Right to Lodge a Complaint with a Supervisory Authority

If you believe that your rights regarding the protection of personal data have been violated, you have the right to lodge a complaint with the supervisory authority in the Republic of Croatia: Personal Data Protection Agency (AZOP).

AZOP Contact Details:

Personal Data Protection Agency

Address: Selska cesta 136, 10 000 Zagreb

Phone: +385 1 4609 000

Email: azop@azop.hr

7. Changes to the Privacy Policy

We reserve the right to modify this Privacy Policy. You will be notified of any significant changes affecting your rights or the way of processing through our website or via email.