Personal data protection policy

Heraklea d.o.o. understands the importance of their employees’ privacy rights. Accordingly, we have been applying privacy rules since the foundation of the company because we recognize the rights of our mystery shoppers and clients in order to protect their personal data. This document serves as an information manual about the way we collect data about you, to what purpose, how we store and use them.

The practices of the agency, its employees and external staff are governed by the Regulation (EU) 2016/679 of the European Parliament and of the Council from the 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR), the Law governing the implementation of the general data protection regulation (NN 42/2018) and the personal data protection code of the Croatian Chamber of Economy’s Association for market, media and public opinion research, which we have signed.

Heraklea d.o.o. is also an elite member of the International professionals association MSPA, which has more than 220 member-companies on all continents and follows in its procedures strict rules and ethical guidelines regulating the way in which the distinct mystery shopping research method is employed.



Every time you take part in a research study performed by the Heraklea agency, you entrust us with your data.

We collect and receive data in the following ways:

  • Via our web-services, forms, apps, the company’s pages on social media and in other ways
  • Sometimes they are obtained directly (for example when you fill in an application form or when you contact us directly), and sometimes they are obtained using cookies on our web-services and our app
  • By filling in the application form for the position of mystery shopper, via our web-services or the app MARTI 3.1., where your first and last name, date of birth, address, personal identification number, e-mail address, telephone number, bank account data, date of birth, age and others may have to be entered
  • While forms are being filled in, your IP address may be logged
  • After you sign the contract, you will have access to your user profile in our app, you will use your username and get a shopper ID and password, you will be able to give us additional information about your habits, life style, financial and other information that help us find the most appropriate tasks for you
  • If you contact us via post, e-mail, social networks, web or phone, we may keep records of the correspondence
  • When you participate or are invited to participate in surveys or pro-bono research projects, your data may be used for administering and collecting aggregated anonymous information about the results we deliver to third parties, but your data will never be disclosed to third parties



When you apply for the position of mystery shopper, we may use the data we have collected from you for the following purposes:

  • Profiling and mystery shopper profile assessment for project purposes
  • Inclusion into the list of mystery shoppers
  • Managing your user account
  • Collecting and maintaining history data about your mystery shopping tasks, how you make and manage payments, as required by law
  • Fulfilling our responsibilities resulting from the Contract signed with you and in order to provide you with information you may request
  • Contacting mystery shoppers per phone, e-mail or post in order to inform them about current projects and to possibly engage them as mystery shoppers
  • Contacting mystery shoppers during the field work research part, trainings, evaluation follow-ups, submitting data necessary to perform evaluations, and receiving notifications about the tasks you are assigned to from those you have subscribed to
  • Contacting mystery shoppers in order to inform them about workshops and conferences organized by Heraklea and send congratulatory e-mails for birthdays and similar occasions
  • Sending documents per post where we have to state your first name, last name, address and town



In order to protect the data Heraklea collects, we take appropriate physical, technical and organizational safety measures.

All collected data is stored in protected databases. Only authorised personnel in our agency have access to those databases. We use data protection and leakage prevention tools, we continuously monitor critical systems, encrypt certain sensitive data and protect data from unauthorised access, change, loss, theft or any other form of data breach or misuse. Should a data breach occur, we will take all available measures to minimize its consequences, the appropriate authorities and all subjects concerned whose data is at risk will be notified without delay should the breach pose a high risk to their rights and freedoms.

All Heraklea employees and external staff must sign a data confidentiality (non-disclosure) contract that binds them to non-disclosure of business secrets, including information about personal data of mystery shoppers. Should an employee violate the Contract and disclose some confidential information, penalties may apply not only in the form of fines, but also in the form of cancellation of safety confirmations, suspension and termination of employment.

From 25 May 2018 onwards, when the Regulation entered into force, our mystery shoppers have been required to give their consent to participate in research and for their personal data to be collected. Only mystery shoppers who give their consent in written, electronic or spoken form may take part in research.

As a mystery shopper you are entitled to the following rights after your identity has been verified:

  • Right to access the data we have stored (the mystery shopper may at his or her request get access from the agency to data stored about him or her, if the data is still available, or if it has not been permanently deleted)
  • Right to change personal data (the mystery shopper may at his or her request change the personal data stored about him or her)
  • Right to delete personal data (at the request of the mystery shopper all personal data may be partially or completely deleted. The Agency is obligated to exclude and delete data if available. If the deletion of already anonymized and statistically processed data for the purpose of reporting at a group level is requested, it will not be possible to exclude such data from the report)
  • Right to withdraw their consent to data processing (consent withdrawal will not have an impact on the legitimacy of data processing due to the fact that the consent had been obtained before the withdrawal)
  • Right to object – to object, to claim your rights or for additional information about the way we manage personal data, feel free to contact our personal data protection officer:

E-mail address:

Telephone number: 01/4811 760

Heraklea d.o.o. reserves the right to modify its Personal Data Protection Policy according to any legal changes and the development of its business. A notice of any such change will be posted on our website.


Zagreb, 25 May 2018