PRIVACY RULES

On 21 May 2018, Adria Casino d.o.o. of Dubečka 1, Zagreb, PIN: 90180501899, issues these

 

PRIVACY RULES

 

Introduction

Adria Casino d.o.o. of Dubečka 1, Zagreb, PIN: 90180501899 (hereinafter referred to as Adria Casino d.o.o.) is particularly committed to protecting personal data and privacy (hereinafter referred to as privacy protection) of its customers, suppliers, employees and other parties it may come in contact with (hereinafter referred to as customers) in accordance with the applicable legislation and best European practices. Protecting our customers’ privacy is an integral part of our services and how we conduct our business.

These Privacy Rules are intended to provide clear information about the processing and protection of personal data processed by Adria Casino d.o.o. and allow our customers to easily monitor and manage their personal data and consents.

These Privacy Rules apply as of 25 May 2018 and describe which personal data Adria Casino d.o.o. collects, how it processes them and for which purposes it uses them, for how long and how it retains them, as well as customers’ rights associated with their personal data.

Personal data controller: ADRIA CASINO d.o.o., Dubečka 1, Zagreb, PIN: 90180501899; e mail: zastitapodataka@senator.com.hr, 01/2922 390

Data Protection Officer: e-mail: zastitapodataka@senator.com.hr; phone: 01/2922 390

  1. Scope of applicability

These Privacy Rules apply to all personal data collected, used or otherwise processed by Adria Casino d.o.o., directly or through its partners. Personal data is any data relating to a natural person identified or directly or indirectly identifiable.

Data processing is any action taken on personal data, for example their collecting, recording, storing, using, transferring, viewing, etc.

Adria Casino d.o.o. is the controller in relation to its customers’ personal data within the meaning of the applicable personal data protection legislation.

These Privacy Rules pertain to all natural persons coming in contact with Adria Casino d.o.o. in any capacity (employees, gaming club guests, suppliers…).

 

  1. Personal data processing principles
  • Trust

Adria Casino d.o.o. intends to be fully transparent and clear with respect to the processing of its customers’ personal data, which is the purpose of these Privacy Rules, and maintain with its customers a relationship based on trust.

  • Lawfulness of data processing

Adria Casino d.o.o. acts in compliance with the applicable law when processing personal data.

  • Limited purpose of processing

Adria Casino d.o.o. only collects and processes personal data for specific and legitimate purposes and further processes them to meet the purpose they are collected for.

  • Reduction of data amounts

We always use only such customer data that are appropriate and necessary to fulfill a specific legitimate purpose and no other data.

  • Integrality and confidentiality

Personal data are processed in a secure manner, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage (access to personal data is only allowed to authorized persons on a need-to-know basis, exclusive of any other employees).

  • Quality of personal data

We treat personal data we process as highly important. Personal data we process must be accurate, complete and up to date, so it is important that customers notify us of any change to their data immediately or as soon as possible. Adria Casino d.o.o. is and may not be responsible for any data provided to it by its customers that they later change without notifying it.

  • Limited storage time

We only collect, store and process personal data for as long as this is necessary to fulfill a legitimate purpose, i.e. for as long as we are required to under the applicable legislation (operating documents are retained permanently, video recordings within a gaming club as a monetary institution are retained for 168 hours, etc.).

  1. How we collect personal data

Adria Casino d.o.o. primarily collects personal data directly from its customers (future employees, gaming club customers, etc.). We also collect data via online portals – Moj posao, Posao.hr.

Any collection of personal data is conditional upon the existence of relevant legitimate interest.

  1. Types of data we collect

Adria Casino d.o.o. only collects personal data based on legitimate interest, which is either lawful grounds or customer consent.  The requests we use to collect data indicate the exact purpose they are collected for and where and for how long they are stored.

  • Contractual data

For the purpose of performing or if intending to enter into a contract, business negotiations and the like Adria Casino d.o.o. may collect the following personal data:

  • Names of natural persons representing corporations or real property owners, etc.;
  • PIN:
  • Residence;
  • E-mail address;
  • Real property ownership information; and
  • Bank account information.

 

These data are retained for the period defined by a specific law depending on the type of the contract, such period being necessary to perform the contract, and are erased thereafter. In case a customer refuses to provide any requested data necessary to perform a contract, Adria Casino d.o.o. reserves the right to refuse to establish a business relationship with such customer.

  • Data collected pursuant to the Monetary Institutions Protection Act

In its gaming clubs, Adria Casino d.o.o. uses alternative methods of monetary institution protection and implements, pursuant to the Monetary Institutions Protection Act (Official Gazette No 56/15), all gaming club protection measures in accordance with the Project Documentation prepared by ADC – Alarmni Dojavni Centar, Letovanička 22, Zagreb, separately for each gaming club. Each gaming club has an installed video surveillance system within and outside the facility, which stores video recordings in digital format. The communication between the controller and ADC is conducted via a controlled and secure line. Access to the server and the monitor designed for viewing video surveillance is only allowed to authorized persons appointed by the controller. Video surveillance recordings are retained in accordance with the Monetary Institutions Protection Act.

  • Data collected pursuant to the Anti-Money Laundering and Terrorist Financing Act

Based on our obligation to conduct customer due diligence before establishing a business relationship, we are, pursuant to the Anti-Money Laundering and Terrorist Financing Act (Official Gazette No 108/2017), required to collect the following personal data:

  1. For a natural person, attorney or legal representative: full name, residence, day, month and year of birth, identification number, name and number of the identity document, issuer’s name and country, and nationality(ies);
  2. For a natural person for whom the transaction is intended: full name, residence and the natural person’s identification number, if any;
  3. For a craft business or any other independent undertaking:
  4. a) name, registered office (street and building number, town/city and country) and identification number of the craft business or person engaged in any other independent undertaking where a business relationship is being established or a transaction is being executed for such craft business’s or other independent undertaking’s business purposes; and
  5. b) name, registered office (street and building number, town/city and country) of the craft business or person engaged in any other independent undertaking for which/whom a transaction is intended and the identification number of the craft business or person engaged in any other independent undertaking, if any.
  6. For a customer’s beneficial owner: full name, country of residence, day, month and year of birth, and nationality(ies);
  7. Data about the purpose and the intended nature of the business relationship, including information about the customer’s business activities;
  8. Date and time of establishing the business relationship;
  9. Date and time of transaction execution, transaction amount and currency, transaction execution method and, if an obliged entity finds the money laundering or terrorist financing risk to be high based on a risk assessment conducted in accordance with the provisions of this Act and the secondary legislation enacted pursuant thereto, the purpose of the transaction;
  10. Data about the source of the funds which are or will be the subject of a business relationship;
  11. Data about the source of the funds which are or will be the subject of a transaction;
  12. Any other data about transactions, funds and persons in accordance with Article 20, in conjunction with Articles 56 and 57 of the Anti-Money Laundering and Terrorist Financing Act.

Such data are retained for 10 years following the termination date of the business relationship, which period is defined by the Anti-Money Laundering and Terrorist Financing Act.

  • Data collected for marketing purposes

Adria Casino d.o.o. only collects data it uses for marketing purposes, such as creating a database in its CRM application which customers use to obtain various benefits, on the basis of consent given by the individual whose data are being collected.

If it becomes necessary to collect other personal data or if new legitimate interest arises based on which Adria Casino d.o.o. should collect personal data, it shall supplement these Privacy Rules and publish them on its website.

  • Senator Hit the Jackpot application

When downloading content from Senator Hit the Jackpot application ( voucher ), it is necessary to enter personal information: Nickname, personal name, surname, date of birth and number of ID. By entering personal information and downloading vouchers you are giving us your approval for collecting and processing your personal data.

Personal data that we have collected via Senator Hit the Jackpot application will be used only for marketing purposes, for measuring the success of promotions, and all personal data will be treated in accordance with General data protection regulation EU (2016/679)

  1. The purposes for which we collect personal data

Data are processed in a fair and lawful manner, to the extent necessary. Adria Casino d.o.o. collects and processes personal data of its business partners, customers and the like for the purpose of entering into and performing a business cooperation contract, in cases defined by law, and subject to customer consent, exclusively for the purpose such consent is given for.

  1. Customer consent

Customer consent is customer’s voluntary, specific, informed and unambiguous expression of desire whereby a customer makes a clear statement or takes a confirmatory action to indicate his agreement to the processing of his personal data for specific purposes (e.g. a specific promotion).

The customer may manage his expressions of his intentions and his consents based on his needs and interests, so he may deny his consent at any time, easily and free of charge, personally within the business unit where he gave his consent or by an e-mail sent to the address dedicated to data protection.

  1. Posting customers’ photographs on controller’s official website (www.web.senator.hr) and official Facebook profile (Senator automat klubovi Hrvatska)

Adria Casino d.o.o. notifies its customers that it has a photographer who takes photographs of each promotion event, birthday party, etc. within each gaming club and that they may tell the gaming club manager directly if they prefer not to be photographed and posted on the official website and official Facebook profile. If a customer fails to tell the gaming club manager that he prefers not to be photographed, he may contact our Data Protection Officer at zastitapodataka@senator.com.hr and such photograph shall be removed as soon as practicable.

  1. Personal data protection measures

The required technical measures and procedures have been undertaken and access to personal data is controlled and only allowed to authorized persons in accordance with the Personal Data Protection Act. The latest security procedures are used for data collection and processing, including servers, databases, backup, firewalls, encryption, surveillance systems and physical and software-based access control to provide protection against loss or abuse of personal data.
8.1.   Physical security of data

  • The company premises are protected by an alarm system and a video surveillance system directly connected to the security firms we cooperate with, which respond based on our call or an automated alarm that goes off in their alarm centers, after which security guards visit the relevant location. All our sites are equipped with state-of-the-art sophisticated equipment defined by the Monetary Institutions Protection Act;
  • The server equipment used to store data is contained in server rooms protected as described above and additionally within locked server cabinets inside such server rooms;
  • Each site where personal data are kept uses access control based on electronic inlets and RfID card readers, both at the site and in each room within the site;
  • Each site where personal data are kept is secured by fire protection measures.

8.2.    Digital protection of data

  • Computers/workstations in offices – the Active Directory and Domain or Group Policy separately define the terms for each user account;
  • Computers/workstations within gaming clubs are either physically secured inside an anti-burglary cash register which is locked and may only be accessed by gaming club employees or digitally by a password;
  • Mobile devices are protected by mandatory password-based phone locking.

Our security includes systems for the prevention of viruses and other malware, scripts and code parts, sending and receiving of such applications, etc.

Backup is performed on a regular basis on all systems relevant to business and where legally prescribed.
Computer access to any system is restricted in several ways. The security methods used include but are not limited to the restriction of access rights on the user account level and to allowing access to databases to authorized persons only. This helps protect our systems against unauthorized access, installation of unwanted applications, deliberate causing of data loss, etc.

  1. Personal data processors

As the personal data controller, Adria Casino d.o.o. has contracts in place with several processors that act in compliance with the Regulation and treat all personal data exactly as prescribed therein and defined by the contracts we have in place with them and the relevant annexes thereto.

The processors Adria Casino d.o.o. deals with are:

  • ADC – Alarmni Dojavni Sustav d.o.o., Letovanička 22, Zagreb;
  • Micro World d.o.o., Vrbje 5, Zagreb;
  • Integrirani poslovni sustavi d.o.o., Mokrice 100, Oroslavlje; and
  • Net plus d.o.o., N.Tavelića 17, Htašćica, Varaždin.
  1. Transferring personal data to third parties

Adria Casino d.o.o. is required to forward all personal data it collects pursuant to the applicable legislation to the relevant authorities within the scope of their statutory activities (Ministry of Finance, Ministry of the Interior, Anti-Money Laundering and Terrorist Financing Office, etc.).

All data collected by Adria Casino d.o.o. are treated as confidential information and may only be disclosed in the cases provided for by the law.

  1. Subject rights (rectification, erasure, objection, access, restriction of processing, transferability)

Pursuant to the General Data Protection Regulation, each customer is allowed to:

1) request from the controller access to his personal data and to rectify or erase such personal data in accordance with the provisions of these Rules and the relevant statutory provisions;
2) request from the controller to restrict the processing of data relating to him as a subject in accordance with the provisions of these Rules and the relevant statutory provisions;
3) object to the processing of his personal data, including the use of personal data for direct marketing and automated decision-making purposes, including profiling, in accordance with the provisions of these Rules and the relevant statutory provisions;
4) request from the controller to transfer any personal data relating to him in accordance with the provisions of these Rules and the relevant statutory provisions; and
5) withdraw his consent to the processing of his personal data at any time.

Such withdrawal of customer’s consent shall not affect the lawfulness of the processing of his personal data collected based on his consent before its withdrawal.

In case a customer has any questions or complaints or wishes to submit a request or exercise his rights in connection with the protection of any personal data specified in the Regulation or in the preceding section, he may contact our Data Protection Officer or controller electronically at zastitapodataka@senator.com.hr or in writing at:

Adria Casino d.o.o., Dubečka 1, Zagreb.

You may at any time contact us and view, alter or modify/rectify such data in accordance with your rights under the applicable laws.

The customer may at any time submit a complaint to the personal data protection supervisory authority:

Personal Data Protection Agency
Martićeva ulica 14, 10000 ZAGREB