Adria Casino d.o.o. of Dubečka 1, Zagreb, VAT No: 90180501899, issues, on 5 October 2020, this
Adria Casino d.o.o. of Dubečka 1, Zagreb, VAT No:: 90180501899 (hereinafter referred to as Adria Casino d.o.o.), is particularly committed to protecting personal data and privacy (hereinafter referred to as privacy protection) of its customers, suppliers, employees and other parties with whom it interacts (hereinafter referred to as customers) in accordance with the applicable regulations and European best practices (Regulation (EU) 2016/679 of the European Parliament). Protecting our customers' privacy is an integral part of our services and how we conduct our business.
Controller: ADRIA CASINO d.o.o., Dubečka 1, Zagreb, VAT No.: 90180501899; E-mail: [email protected], 01/2922 390
Data Protection Officer: e-mail: [email protected]; phone: 01/2922 390
Data processing is any operation performed on personal data, e.g. their procession, recording, storage, use, transmission, viewing, etc.
Adria Casino d.o.o. is the controller in relation to its customers’ personal data within the meaning of the relevant personal data protection regulations.
2. Principles of personal data processing
2.2. Lawfulness of data processing
When processing personal data, Adria Casino d.o.o. acts in compliance with the law.
2.3. Restriction of processing
Adria Casino d.o.o. only collects and processes personal data for a specific lawful purpose and continues to process them for the purpose they were collected for.
2.4. Data minimization
We always use only those customer data that are appropriate and necessary to fulfill a specific lawful purpose and no more than that.
2.5. Integrity and confidentiality
Personal data are processed in a secure manner, including protection against unauthorized or unlawful processing or accidental loss, destruction or damage (access to personal data is only allowed to employees on a need to know basis).
2.6. Personal data quality
We treat the personal data we process as highly important. The personal data we process must be accurate, complete and kept up to date, which is why it is important that our customers notify us of any change to their data immediately or as soon as possible. Adria Casino d.o.o. is not and cannot be held responsible for any data received from its customer that such customer later modifies without notifying Adria Casino d.o.o.
2.7. Limited retention period
We only retain the personal data we collect, store and process for as long as this is necessary to fulfill a legitimate purpose, i.e. for as long as defined by the applicable regulations or for as long as this is necessary to perform a contract – on elapse of this time, such data are erased.
3. Collection of personal data
Adria Casino d.o.o. primarily collects personal data directly from its customers for the purpose of entering into contract based on the relevant legislation or customer’s consent.
Any processing of personal data is conditional upon the existence of appropriate legitimate interest.
4. Types of data we collect
Adria Casino d.o.o. collects personal data subject to legitimate interest based on the relevant legal grounds or customer’s consent. The application forms we use to collect such data clearly show the purpose of collecting such data, the location of their storage and their retention period.
4.1. Contractual data
For the purposes of performing contracts, expressing its intention to enter into contracts, business negotiations, etc., Adria Casino d.o.o. may collect the following personal data:
- Names and surnames of natural persons who are representatives of corporations, property owners, etc.
- E-mail address
- Particulars of property ownership
- Bank account information
These data are retained for the periods defined in the respective laws, depending on the type of contract and duration of contract performance, and are thereafter erased. In case a customer refuses to provide any data required for contract performance, Adria Casino d.o.o. reserves the right to refuse to enter into a business relationship with such customer.
4.2. Personal data collected as part of organizing online games of chance
In the context of organizing online games of chance, Adria Casino d.o.o. is required under the relevant laws and regulations to collect the following data:
- Mobile phone number
- Date of birth
- Bank account IBAN
- Type of identity document
- Identity document number
- Expiry date of the identity document
- Name of the identity document issuer
- Country of the identity document issuer
- A scan or image of the identity document
- Particulars of political exposure
- How the customer is exposed
- Type of public function
- Source of funds
These data are retained for the periods defined in the respective laws, but no less than 10 years, and are erased thereafter.
These data are collected based on legal grounds and, in case the customer refuses to provide such personal data, such customer shall not be able to use Adria Casino d.o.o.’s services or take part in games of chance.
4.2.2. For contract performance purposes, Adria Casino d.o.o. uses automated processing of customers’ personal data when organizing online games of chance.
4.2.3. Adria Casino d.o.o. internally processes personal data necessary for the normal functioning of the online and interactive gaming system. Personal data are anonymized and all customer data are processed in anonymized form in daily operations.
Such data are processed for the purposes of organizing online games of chance and certain analyses of customer data are intended to improve our business and the quality and level of service and increase our customers’ satisfaction and are not used for any purposes other than those defined in this Policy.
Personal data may only be accessed directly via the database and logging into it is only allowed to authorized administrators and other specifically authorized employees. Each instance of access is recorded. Access to such data is intended to establish technical functionality, to the exclusion of viewing personal data.
4.3. Data collected under the Monetary Institutions Protection Act
In its gaming clubs, Adria Casino d.o.o. uses alternative methods of monetary institution protection and implements, pursuant to the Monetary Institutions Protection Act (Official Gazette No 56/15) all measures to protect its gaming clubs in accordance with the Project Documentation rendered by ADC – Alarmni Dojavni Centar, Letovanička 22, Zagreb, separately for each gaming club. Video surveillance systems are installed inside and outside these gaming clubs and video recordings are stored in digital format. The controller and ADC communicate via a monitored secure line. Access to the server and monitor for viewing video surveillance records is only allowed to the person designated by the controller. Video surveillance records are retained in accordance with the Monetary Institutions Protection Act.
4.4. Data collected under the Anti-Money Laundering and Terrorist Financing Act
Subject to conducting a prior due diligence investigation as required under the Anti-Money Laundering and Terrorist Financing Act (Official Gazette No 108/2017), we are required to collect the following personal data:
- for natural persons, proxies or legal representatives: name, address, date of birth, national identifier, identity document name and number, issuer’s name and country, and nationality(ies);
- for natural persons for whom the transaction is intended: name, address and natural person’s national identifier, if available;
- for craft businesses and other sole proprietorships: a) name, registered office (street and building number, town/city and country) and identifier of the craft business or other sole proprietorship where a business relationship is being established or a transaction is being conducted for the purposes of operating such craft business or other sole proprietorship; and b) name and registered office (street and building number, town/city and country) of the craft business or other sole proprietorship for whom the transaction is intended and the identifier of the craft business or other sole proprietorship, if available;
- for the customer’s beneficial owner: name, country of residence, date of birth and nationality(ies);
- particulars of the intended purpose and envisaged nature of the business relationship, including information about the customer’s business activities;
- . date and time of establishing the business relationship;
- date and time of performing the transaction, transaction amount and currency, how the transaction is conducted and, where the obliged entity finds high AML/TF risk to exist after making an appropriate risk assessment in accordance with the provisions of this Act and its implementing regulations, the intended purpose of the transaction;
- source of the funds to be involved in the business relationship;
- source of the funds to be involved in the transaction;
- any other particulars of transactions, funds and persons as required under Article 20 in conjunction with Articles 56 and 57 of the Anti-Money Laundering and Terrorist Financing Act.
These data are retained for 10 years following the end date of the business relationship, which period is defined in the Anti-Money Laundering and Terrorist Financing Act.
4.5. Data collected for marketing purposes
Adria Casino d.o.o. only collects the data it uses for marketing purposes, such as creating databases in CRM where customers receive different benefits, based on consent of the natural person whose data are being collected.
4.5.1. Senator Hit the Jackpot application
The following personal data must be inserted when downloading transferable items (Vouchers) in the Senator Hit the Jackpot application: nickname, full name, date of birth, and identity card number. By entering such personal data and downloading the voucher, you give us your express consent to collect and process your personal data you make available to us.
We will only use such personal data collected via the Senator Hit the Jackpot application for marketing purposes, to measure the success of our promotions, and such personal data will be treated in accordance with the EU General Data Protection Regulation (2016/679).
5. The purposes of collecting personal data
Data are processed in a fair and lawful manner and only to the extent necessary. Adria Casino d.o.o. collects and processes personal data of its business partners, customers, etc. for the purposes of entering into and performing business cooperation agreements, in cases defined by the law, and in cases where it receives customer’s consent, to the extent of the purpose the consent pertains to.
6. Customer’s consent
Customer’s consent means any freely given, specific, informed and unambiguous indication of the customer's wishes by he, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data for specific purposes (e.g. a specific promotion).
The customer manages his own indications of wishes and consents depending on his needs and interests, which means he may at any time, easily and free of charge, withdraw his consent at the business unit where such consent was originally given or using the data protection e-mail address.
7. Publication of customers’ photographs on controller’s official website (www.senator.hr) and official Facebook profile (Senator automat klubovi Hrvatska)
Adria Casino d.o.o. informs all its customers that it has its photographer within each gaming club, who takes photographs of each promotion or birthday party or any other similar event, and customers may tell the gaming club manager at the scene if they do not wish to be photographed and published on the official website and Facebook profile. If they fail to inform the gaming club manager that they do not wish to be photographed and do not wish their photographs to be published, they may contact the Data Protection Officer at: [email protected] and the photograph will then be removed as soon as possible.
8. Personal data protection measures
Pursuant to the Personal Data Protection Act, we are implementing the required technical measures and procedures and ensure control of access to personal data, which is only allowed to specifically authorized persons. State-of-the-art security procedures are used to collect and process data, including servers, databases, backup capabilities, firewalls, encryption, surveillance and access control systems, both physical and software-supported, to ensure protection against loss or abuse of personal data.
8.1. Physical data protection
- Company premises are protected by an alarm system and a video surveillance system directly connected to the security firms we deal with, who respond either to our call or to the automated alarms activated at their alarm center, and their security guards are then dispatched to the scene. All our sites are equipped with state-of-the-art sophisticated equipment required under the Monetary Institutions Protection Act;
- The server equipment used to store data is located in server rooms protected as aforementioned, and additionally within lockable server racks inside such rooms;
- All sites containing personal data use access control via electronic verification systems and RfID card readers, both at each site and within each room at each site;
- All sites containing personal data implement appropriate fire protection measures.
8.2. Digital data protection
- Computers/workstations in our offices – the relevant requirements are set separately for each user account through Active Directory and Domain, and through the Group Policy;
- Computers/workstations in our gaming clubs are protected either physically within an anti-burglary safety deposit box which is locked and may only be accessed by gaming club employees or digitally by using a password;
- Mobile devices are protected through the required locking of mobile devices using a password.
Our protection includes systems to prevent viruses and other malware, scripts and source code parts from running, to prevent sending and receiving of such apps, etc.
Where legally required, all business-essential systems are backed up.
Electronic access to all systems is restricted in several ways. Our protection methods include but are not limited to the restriction of the right to access user accounts and allowing access to personal databases to authorized persons only. This is, among other things, intended to protect our systems against unauthorized access, installation of unwanted apps, intentional causing of data loss, etc.
9. Personal data processors
As the controller, Adria Casino d.o.o. has contracts in place with several processors that comply with the Regulation and treat their personal data exactly as defined therein, which is also defined in our contracts with them, including the relevant annexes thereto.
10. Transmission of personal data to third parties
Adria Casino d.o.o. is required to provide personal data it collects pursuant to the applicable legislation to the relevant authority as part of such authority’s official activities (Ministry of Finance, AML/TF Office. etc.).
Data collected by Adria Casino d.o.o. are considered to be confidential business information and may only be disclosed if so permitted by law.
11. Data subjects’ rights (rectification, erasure, objection, access, restriction of processing, portability)
Pursuant to the General Data Protection Regulation, each customer may:
- request from the controller access to his personal data and rectify or erase his personal data in accordance with this Policy and the applicable legislation.
- request from the controller to restrict the processing of data relating to him as a data subject in accordance with this Policy and the applicable legislation.
- object to the processing of his personal data, including the use of personal data for direct marketing purposes and automated decision-making including profiling in accordance with this Policy and the applicable legislation.
- request from the controller to transmit the personal data concerning him in accordance with this Policy and the applicable legislation.
- withdraw his consent to personal data processing at any time.
If the customer withdraws his consent, this shall be without prejudice to the lawfulness of processing his personal data collected based on his consent before its withdrawal.
In case the customer has any questions, complaints or requests, including those for the exercise of his rights under the Regulation or the preceding Article, he may contact the Data Protection Officer or controller at: [email protected] or in writing at:
Adria Casino d.o.o. , Dubečka 1, Zagreb.
You may contact us at any time and view, modify, alter or rectify your data in accordance with your rights under said laws.
The customer may at any time lodge a complaint with the personal data protection supervisory authority:
Personal Data Protection Agency
Martićeva ulica 14, 10000 ZAGREB