What is the content of this document? What happens to your personal data when you interact with this Site or with CMM Patience in general?

This privacy policy ("Privacy Policy") applies to any collection and processing of personal data carried out:


(I) when you interact with the website (the "Site") operated by CMM Patience Ltd Belgrade – New Belgrade, Jurija Gagrina 97/125, Belgrade – New Belgrade, Serbia ("CMM Patience", "we", "our" or "us");


(II) when you purchase a product or request other services from CMM Patience, whether online on our Site or offline in our stores, including when you contact our customer service for post-sale customer services or specific questions or requests;


(III) when we communicate with you as part of our marketing activities.


By accessing and using this Site or otherwise providing us with your personal data, you confirm that you have read and that you understand the way we collect, process, use and disclose your personal data as described in this Privacy Policy.


For specific processing activities, we need to obtain your consent to collect and process your personal data. When we need your consent, we will ask you, before you submit personal data or use the relevant sections of the Site, to confirm electronically that you consent to the processing activity at stake, as described in this Privacy Policy, by ticking specific boxes. Your affirmative action in ticking the relevant box and your use of this Site signify that you agree to the processing activity at stake as described in this Privacy Policy. Our records of your acceptance of this Privacy Policy, the date thereof, and of all future amendments to this Privacy Policy, will be considered as conclusive and written evidence of your consent.


We collect and process your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 of 27 April 2016 and applicable as of 25 May 2018 ("GDPR") and the Serbian Personal Data Protection Act (Official Gazette of the Republic of Serbia, no. 87/2018) applicable as of 21 August 2019.


Who controls the processing of your personal data? Who is accountable for it?

The controller of the processing of your personal data is CMM Patience.

What personal data are processed?


Automatic information collection on this site

The processing of your personal data when you merely visit and consult the Site is limited to the so-called surfing data, namely the data whose transmission to the Site is implicit in the functioning of the systems in charge of the managing of the Site and in the communications protocols peculiar to the Internet. Surfing data are, for example, the IP addresses of the devices you use to connect to the Site and other parameters relating to your device and operating system.


In principle, surfing data, such as these above specified, and for example the number of visits and the time spent on the Site, are collected and processed by us exclusively for statistical purposes and in aggregated form for the purpose of measuring and enhancing the functionality of the Site. Due to the nature of the surfing data, these data may lead to identification of users if they are associated with data held by third parties; however, we do not collect surfing data in order to associate them with identified users, except where the said data may be used to assess possible responsibilities in case of information crimes realized against the Site or through the Site, to the extent permitted by law.


In addition, certain information is gathered on this Site by means of cookies and other tracking technologies as described in our Cookie Policy. By actively closing the Site Cookie Banner and by setting your cookie preferences through our settings and in your browser, you are agreeing to our use of cookies and similar technologies. If you do not agree to our use of cookies in this way, you should set your cookie settings accordingly. You will always be able to withdraw your consent and change your cookie preferences at any time. If you disable cookies that we use, this may impact your user experience while on this Site. Please refer to our Cookie Policy for further details.


Information you provide voluntarily to us:


We collect and process:


1. personal data that you provide when you interact with the Site functionalities, for example, when you open an account on our e-Commerce platform. This personal data may include:


• IP address;

• username;

• password;

• first name;

• last name;

• company;

• VAT number;

• address (shipping and billing address(es));

• city;

• post code;

• country;

• phone number;

• e-mail address;

• the history of products you purchase; and

• details regarding your transaction.


2. personal data that you provide when you interact with our customer service, for example, when you send a question about an CMM Patience product, communicate feedback to us, contact our customer service call center for support, or request specific assistance or service from our customer service. This personal data may include:


• your name, e-mail address, telephone number;

• the history of products you purchase;

• information regarding the reasons for which you contacted our customer service; and

• content of your communications relating to your interaction with customer service.


For what purposes are your personal data processed?


We collect and process your Personal Data for the following purposes:


1. CMM Patience, as the controller, processes your personal data for the following purposes:


a. to operate and manage the Site, including:


- to provide you with the services or functionalities that you request on the Site;
- to create your account and manage your subscription on the Site;
- to improve your browsing experience and ameliorate the Site;


b. to conduct marketing activities, including:


- for direct marketing purposes, including:
(a) to manage your subscription to our newsletter(s) or mailing list(s);
(b) to allow participation to promotions and other initiatives;
(c) to send you (subject to your consent, that is optional), also through e-mail or other electronic communications means such as SMS, MMS, etc. promotional information and material on our products and services, on special initiatives on price and promotions and on initiatives such as loyalty programs and events organized by CMM Patience;
- for survey purposes (subject to your consent, that is optional);
- for profiling purposes (subject to your consent, that is optional);
- for the purpose of improving our products and services;


c. for other purposes:


- for fraud prevention purposes; and
- for compliance with our obligations under applicable laws, regulations and Community legislation, and for assessment and defence of a legal right.


2. CMM Patience, also processes your personal data for the following purposes:


a. to manage your purchases of CMM Patience products through our e-Commerce platform:


- this includes all activities relating to the purchase of goods, such as delivery of goods, billing, returning and exchanging of goods, receiving refunds, purchase and use of gift cards and e-gift cards, as applicable, payment related activities, including use of vouchers;


b. to provide you with our customer-service, including:

- to provide you with after-sale services;
- to respond to your request(s) for information, question(s), communication(s) or feedback;
- for internal training purposes and improvement of our customer-service;


c. for other purposes:


- to prevent fraud; and
- to comply with our obligations under applicable laws, regulations and EU legislation, and to assess and defend a legal right.


What are the legal bases for the processing of your personal data as described herein?

We collect and process your personal data for the purposes described in the Section "For what purposes are your personal data processed?" on one of the following legal bases:


• the processing of your personal data is necessary for performance of a contract with you or in order to take steps prior to entering into a contract with you at your request (Article 6, 1., (b) of the GDPR);

• the processing is necessary for the purposes of our legitimate interests or our CMM Patience or other third parties' legitimate interests, and such interests are not overridden by your interests or fundamental rights and freedoms (Article 6, 1., (f) of the GDPR); the legitimate interests that we pursue notably include our interest to manage and maintain the contractual relationship with you, to answer to your specific requests, to ask for your feedback in order to improve our Site and our products, or to pursue other general marketing activities; and

• where your specific consent is required to the processing of your personal data as described herein, your personal data will be processed based on such consent (Article 6(1)(a) of the GDPR).


How long will your personal data be processed?

Personal data are not kept for longer than the time necessary to achieve the specific data processing purposes described herein, unless shorter or longer retention periods apply under applicable laws. For instance, due to accounting requirements we must keep the data related to purchase orders for the period of five years following the business year during which you have placed your order.


In specific circumstances we may also retain your personal data for longer periods of time corresponding to the applicable statute of limitations so that we have an accurate record of your dealings with us in the event of any complaints or challenges.


Are your personal data safe?

We are committed to protect the security and confidentiality of your personal data. We take – and require that any service provider and/or third party processor processing personal data on our behalf and on our instructions takes – appropriate technical and organizational measures to prevent loss and destruction, even accidental, of data, unauthorized access to data, unlawful or unfair use of data. Moreover, information systems and software programs are configured so that personal and identification data are used only when necessary to achieve the specific processing purpose from time to time sought.


We deploy a variety of advanced security technologies and procedures to help protecting personal data against the risks outlined above. For example, your personal data are stored on secured servers placed in controlled locations. Moreover, for the transmission of some data through the Internet encryption techniques such as the Secure Socket Layer (SSL) protocol are deployed.


However, please note that no electronic transmission or storage of information is 100% secure. Therefore, despite the security measures that we have put in place to protect your personal data, we cannot guarantee that loss, misuse, or alteration of data will never occur.


Where do your personal data go? Who are the recipients, where are the data transferred and for what purposes?


Personal data collected through our Site, including as part of the sale of goods via our e-Commerce platform, are stored on servers provided and managed by our third-party storage and hosting provider in Serbia. Your personal data will not be transferred outside Serbia.


We communicate personal data within the limits and under the circumstances specified in this Privacy Policy, subject to your specific consent when required under applicable data protection laws:


1°. Your personal data will be accessible within our organization by our personnel that need to access it because of their duties in relation to the processing purposes herein specified. We ensure that these persons are bound by appropriate security and confidentiality obligations.


2°. Your personal data may also be accessible by third party service providers that we appoint as Processors to process personal data on our behalf and on our instructions (as Processors). These Processors include:


• third party service providers to which we may revert to for performance of professional, technical and organizational services functional to the managing of the Site and the activities performed therein, such as for example the sales of goods and related activities, the managing of functionalities offered by the Site and of the initiatives and services that you may subscribe to and require through the Site, and for services strictly functional to achievement of the other processing purposes herein specified;

• third party service providers to which we revert for closing purchase transactions and payment processing through our e-Commerce platform; and

• third party service providers that are managing and supporting the Site, the relevant e-commerce platform and all the pre- and post-sale activities, such as, order processing, performance marketing, e.g. financial services, customer relationship management, etc.


These Processors are bound by appropriate contractual obligations to implement adequate security measures to protect security and confidentiality of personal data.


3°. Your personal data may also be shared with institutions, authorities, public entities, banks and financial institutions, professionals, independent consultants, business partners or other legitimate recipients as permitted by applicable laws and regulations, for example in case of judicial processes, request by competent courts and authorities or other legal obligation, to protect and defend our rights and property and the Site.


4°. Lastly, we may also communicate your personal data to third parties in case of mergers, acquisitions, or transfers of any of our assets, products, websites or operations.

Except for the foregoing, personal data will not be shared with third parties, natural persons or legal entities, that are unrelated to, or that do not perform a business, professional or technical function for us.


Personal data will not be communicated to third parties for their own marketing purposes.


Are you obliged to provide your personal data? What are the consequences if you refuse to provide the data?

Except in relation to the surfing data (please refer to the above section "What personal data are processed?), providing your personal data may be a requirement necessary to enter into or to perform a contract, including for the performance of certain services and functionalities offered by the Site, such as registration to our e-Commerce platform, subscription to our newsletter(s), the purchase of goods through the e-Commerce platform, the management of participation to loyalty programs, promotions and other initiatives communicated through the Site, replying to and managing of request of information, questions, communication or feedback. In the above referenced circumstances, refusal to provide your personal data would make it impossible for us to perform the contract or to provide the requested services, products or information as above specified.


Providing your personal data for survey, marketing and other purposes as above specified is optional; refusal to provide your personal data for these purposes will not have any impact on the entering into or performance of the contract. When requested under applicable data protection laws, we will collect your prior consent before proceeding to processing your personal data for these purposes.


Does the site contain elements controlled by third parties? Who is responsible and liable for these elements?

The Site may contain links to other sites, as well as objects or elements controlled by third parties.

An example is plug-ins that may connect our Site to social networks like Facebook or Twitter ("social plug-in") and that are usually identified by the relevant social network's logo. If you interact with a social plug-in on our Site, your browser may send such social network certain data relating to you, such as your user ID, information on the Site, date and time, and other browser-related information. Such information will be processed by the social networks, owned and operated by third parties, according to their privacy policies.


We do not have access nor control over elements, objects, plug-ins, cookies, web beacon and other items or tracking technologies owned and operated by third parties, available on our Site or on the relevant third party websites, which users may access on or from the Site, and over the relevant methods of processing of personal data through such elements or sites. We disclaim any responsibility for such websites. You should check the privacy policy of third party websites and elements accessed from the Site to learn about the conditions applicable to the processing of personal data since this Privacy Policy applies only to this Site.


What are your rights in relation to the processing of your personal data and how can you exercise them?

You are entitled at any moment to enforce the rights available to you under applicable data protection laws, including but not limited to the right of access, rectification, restriction, erasure, opposition (including objecting, at any time and for free, to the processing of your personal data for direct marketing purposes), right to portability as well as the right to withdraw your consent. You also have the right to lodge a complaint with a competent supervisory authority.


For a summary on what the abovementioned rights involve and how you can exercise them, please refer to Appendix 1 to this Privacy Policy.


For any query or request relating to the personal data processing by us and to enforce the rights under applicable data protection laws, you may contact


Can we make changes to this Privacy Policy?

We reserve the right to update and amend all or parts of this Privacy Policy, at any time, to the fullest extent permitted under applicable law. The version published on the Site is the version actually in force. If we change this Privacy Policy, we will notify you of such changes by posting a link on the home page of the Site to the amended privacy policy that reads "Newly Revised Privacy Policy" and/or notifying you in any other manner (such as by email where appropriate or required by law and to the extent that we have your e-mail address).




As an individual whose personal data are processed as described in this Privacy Policy, you have a number of rights which are summarized below. Please note that exercising these rights is subject to certain requirements and conditions as set forth in applicable law.


Right of access

Subject to applicable law, you have the right to obtain confirmation from us as to whether or not personal data that concerns you are processed, and, if so, to request access to such personal data including, without limitation, the categories of personal data concerned, the purposes of the processing and the recipients or categories of recipients. However, we do have to take into account the rights and freedoms of others, so this is not an absolute right. If you request more than one copy of the personal data undergoing processing, we may charge a reasonable fee based on administrative costs.

Right to rectification

You have the right to request from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you also have the right to request that incomplete personal data be completed, including by means of providing a supplementary statement.


Right to erasure ('right to be forgotten')

You have the right to request from us the erasure of personal data concerning you in certain circumstances as defined under applicable law. When your request falls within one of those circumstances, we will erase your personal data without undue delay. If, for technical and organisational reasons, we were not able to erase your personal data, we will ensure that it is fully and irreversibly anonymized so that we will no longer be holding such personal data about you.


Right to restriction of processing

In certain circumstances as defined under applicable law, you have the right to request the restriction of processing of your personal data. In such case, your personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.

Right to data portability

In certain circumstances as defined under applicable law, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit that data to another controller or to have such personal data transmitted directly from us to another controller, where technically feasible.

Right to object

Under certain circumstances as defined under applicable law, you have the right to object, on grounds relating to your particular situation, at any time of the processing of your personal data by us and we can be required to no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. This notably applies in case of processing of your personal data based on our legitimate interests or for statistical purposes.

Right to object to direct marketing

Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing for such direct marketing.

Right to withdraw consent

If you have provided your consent for any personal data processing activities as described in this Privacy Policy, you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to withdrawal of the consent.


If you wish to access your personal data or exercise any of the rights listed above, you should apply in writing, providing evidence of your identity to our Privacy Office at


Any communication from us in relation to your rights as detailed above will be provided free of charge. However, in case of requests that are manifestly unfounded or excessive, in particular because of their repetitive character, we may charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or refuse to act on the request.


In case you have a complaint about the processing of your personal data, you have the right to lodge a complaint with a competent supervisory authority.