Adria Casino d.o.o. from Zagreb, Dubečka 1, OIB: 90180501899, on October 5, 2020. brings the next

PRIVACY RULES

INTRODUCTION

Adria Casino d.o.o., located at Dubečka 1, Zagreb, OIB 90180501899 (hereinafter referred to as Adria Casino d.o.o.), pays particular attention to the protection of personal data and privacy (hereinafter referred to as privacy protection) of its clients, suppliers, employees, and other entities with whom it interacts (hereinafter referred to as clients), in accordance with applicable regulations and best European practices (EU Regulation 2016/679, European Parliament). The protection of our clients’ privacy is an integral part of our services and business practices.

With our Privacy Policy, we aim to provide clear information about the processing and protection of personal data handled by Adria Casino d.o.o., and to enable clients to easily monitor and manage their personal data and consents.

This Privacy Policy has been in effect since October 5, 2020, and it describes the personal data collected by Adria Casino d.o.o., how it processes this data, the purposes for which it is used, the duration and manner of its storage, as well as the rights of clients related to their personal data.

Data Controller:

ADRIA CASINO d.o.o., Dubečka 1, Zagreb, OIB: 90180501899

Email: zastitapodataka@senator.hr

Phone: 01/2922 390 

Data Protection Officer:

Email: zastitapodataka@senator.hr

Phone: 01/2922 390

 

  1. SCOPE OF APPLICATION

The Privacy Policy applies to all personal data collected, used, or otherwise processed by Adria Casino d.o.o., either directly or through its partners. A personal data refers to any information relating to an identified or identifiable natural person, directly or indirectly.

Data processing encompasses any operation performed on personal data, such as collection, recording, storage, use, transfer, access to personal data, etc.

Adria Casino d.o.o. is the data controller concerning the personal data of its clients in accordance with the applicable personal data protection regulations.

The Privacy Policy applies to all natural persons who engage with Adria Casino d.o.o. in any capacity.

  1. PRINCIPLES OF PERSONAL DATA PROCESSING

2.1. TRUST

Adria Casino d.o.o. aims to be completely transparent and clear regarding the processing of clients’ personal data, which is the purpose of this Privacy Policy, and to have a relationship with its clients based on trust. 

2.2. LAWFULNESS OF DATA PROCESSING

Adria Casino d.o.o. processes personal data in accordance with the law. 

2.3. LIMITED PURPOSE OF PROCESSING

Adria Casino d.o.o. collects and processes personal data only for a specific and lawful purpose and further processes it only in a manner consistent with the purpose for which it was collected. 

2.4. DATA MINIMIZATION

We always use only the client data that is appropriate and necessary to achieve a specific lawful purpose, and not more than that. 

2.5. INTEGRITY AND CONFIDENTIALITY

Personal data is processed securely, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage (access to personal data is restricted to authorized personnel who need it to perform their job, but not to other employees). 

2.6. QUALITY OF PERSONAL DATA

We attach great importance to the personal data we process. The personal data we process must be accurate, complete, and up-to-date, and it is important that clients notify us of any changes to their data immediately or as soon as possible. Adria Casino d.o.o. is not and cannot be responsible for data provided by clients that is later changed without notification. 

2.7. LIMITED STORAGE PERIOD

We collect, store, and process personal data for as long as prescribed by the law on which the obligation to collect personal data is based, as long as determined by consent, which clients are informed about when signing the consent, and as long as necessary to achieve a legitimate purpose. 

  1. METHOD OF COLLECTING PERSONAL DATA

Adria Casino d.o.o. collects personal data directly from clients. There is a legal basis for each personal data processing. The legal bases for processing personal data are: legal obligation of the data controller, processing necessary for the performance of a contract, client consent, and legitimate interest. In accordance with the Regulation, when processing personal data based on legitimate interest, we conduct a legitimacy test. 

  1. TYPES OF DATA WE COLLECT

Below is a list of the personal data we collect, the legal basis on which we collect it, and the duration for which we store it. 

4.1. CONTRACTUAL DATA

For the purposes of contract execution, intent to enter into a contract, business negotiations, and similar activities, Adria Casino d.o.o. may collect the following personal data:

Name and surname of the representatives of trading companies or property owners, etc.

OIB (personal identification number)

Residence

Email address

Property ownership details

Bank account number

 

These data are stored for the period prescribed by the relevant law depending on the type of contract concluded, the period necessary for contract execution, and are deleted after this period. In case a client refuses to provide some of the requested data necessary for contract execution, Adria Casino d.o.o. reserves the right to refuse to enter into a business relationship with the client. 

4.2. PERSONAL DATA COLLECTED IN ONLINE GAMBLING

The legal basis for collecting data in online gambling is the legal obligation of the data controller. We are required to collect data based on the Law on Games of Chance, the Regulations on Organizing Games of Chance in Casinos through Interactive Sales Channels Online Gaming, and the Law on the Prevention of Money Laundering and Financing of Terrorism. The data we collect includes:

Email

Password

Username

First name

Last name

Residential address

OIB (personal identification number)

Mobile phone number

Date of birth (day, month, year)

Gender

Bank account number (IBAN)

Type of identification document

Identification document number

Expiry date of identification document (day, month, year)

Issuer of identification document

Country of issuance of identification document

Scan or image of identification document

Nationality

Data on political exposure

Nature of exposure

Type of public office

Source of assets

 

These data are stored for a minimum of 10 years as prescribed by the Law on the Prevention of Money Laundering and Financing of Terrorism. The data mentioned are collected based on legal requirements, and if a client refuses to provide the specified personal data, they will not be able to use the services of Adria Casino d.o.o. nor participate in games of chance. 

4.2.1. AUTOMATIC DATA PROCESSING AND ANONYMIZATION

In online gambling, Adria Casino d.o.o. applies automatic data processing of client data to fulfill contract requirements. 

Adria Casino d.o.o. internally processes personal data necessary for the normal functioning of the online and interactive gambling systems. Personal data is anonymized, and in daily operations, all client data is processed anonymously. 

Data processing aims to organize games of chance and perform specific data analysis to improve business operations, enhance service quality and levels, and increase client satisfaction. The data is not used for purposes not specified in this policy. 

Access to personal data is only possible through direct access to the database and logs by an authorized administrator or specially authorized employees. Every access is logged. The purpose of accessing data is to ensure technical correctness and not to view personal data.

 

4.3. VIDEO SURVEILLANCE

The legal basis for processing personal data in the case of video surveillance in slot machine clubs is the legal obligation of the data controller based on the Law on the Protection of Monetary Institutions.

Adria Casino d.o.o. applies alternative methods of protecting monetary institutions in all its slot machine clubs, and in accordance with the Law on the Protection of Monetary Institutions (NN 56/15), it implements all protection measures for slot machine clubs according to the Project Documentation prepared by ADC – Alarm Reporting Center, Letovanička 22, Zagreb, for each slot machine club separately. A video surveillance system is installed inside and outside the slot machine clubs with digital video recording storage. Communication between the data controller and ADC takes place via a monitored secure line. Only authorized persons appointed by the Data Controller have access to the server and monitor for video surveillance review. Video surveillance recordings are stored in accordance with the Law on the Protection of Monetary Institutions. The retention period for video surveillance recordings from slot machine clubs is 10 days, and video surveillance recordings from the casino are stored for a minimum of 60 days, all in accordance with regulations. In the event of a legal dispute or legal proceedings, and if there is a need to retain recordings longer than prescribed, they are kept in the organizational unit until the end of the proceedings. 

4.3.1. VIDEO SURVEILLANCE IN THE ADMINISTRATIVE BUILDING

The purpose of video surveillance in an office building is to protect property, employees and reduce the risk of robbery, burglary and other forms of violence, possible dangers and unauthorized access to protected premises. The legal basis for data processing in relation to the visitor is legitimate interest, and in relation to the employee it is the legal basis. It is based on our interest in securing evidence and preventing crimes. When installing video surveillance inside the administration building, all the conditions prescribed by the Law on the Implementation of the General Regulation on the Protection of Personal Data and the conditions established by the regulations governing safety at work were met. Videos are deleted after 7 working days. In the event of the need for a court dispute or legal procedure, and if there is a need to keep recordings longer than prescribed, they are kept in the organizational unit until the end of the procedure at the latest. 

4.4. DATA COLLECTED IN SLOT MACHINE CLUBS AND CASINOS

The legal basis for collecting personal data in slot machine clubs and casinos is the legal obligation of the data controller. Based on the obligation to conduct a due diligence analysis of the client before entering into a business relationship as per the Anti-Money Laundering and Terrorism Financing Act (NN 108/2017), we are required to collect the following personal data: 

For a natural person, attorney, legal representative: name and surname, residence, date of birth, identification number, type and number of identification document, issuing country, and citizenship(s).

For the natural person for whom the transaction is intended: name and surname, residence, and identification number if available.

For a craft and other independent activities: name, headquarters (street and house number, place, and country), identification number of the craft and the person conducting the activity, and the same for the intended transaction if available.

For the real owner of the client: name and surname, country of residence, date of birth, and citizenship(s).

Information about the purpose and nature of the business relationship, including information about the client’s activities.

Date and time of establishing the business relationship.

Date and time of the transaction, amount, and currency, method of transaction, and if there is a high risk of money laundering or terrorism financing, the purpose of the transaction.

Source of funds involved in the business relationship or transaction.

Other transaction-related data as per Articles 20, 56, and 57 of the Anti-Money Laundering and Terrorism Financing Act.

These data are retained for 10 years from the date of termination of the business relationship, as mandated by the Anti-Money Laundering and Terrorism Financing Act. 

4.5. DATA COLLECTED FOR MARKETING PURPOSES

The legal basis for collecting data for marketing purposes is consent. Adria Casino d.o.o. uses data for marketing purposes, such as creating a database in the CRM application through which clients utilize various benefits. Personal data used for marketing purposes collected during the calendar year are deleted on January 2 of the following year. Data collected for marketing purposes via consent include: 

Name and surname

Personal identification number (OIB)

ID card number

Date of birth

Email address

 

4.5.1. SENATOR HIT THE JACKPOT APPLICATION

When downloading vouchers in the Senator Hit the Jackpot application, it is necessary to enter personal data: nickname, name and surname, date of birth, and ID card number. By entering personal data and downloading the voucher, you give your explicit consent for the collection and processing of your personal data made available to us. 

The personal data collected through the Senator Hit the Jackpot application will be used exclusively for marketing purposes, to measure the success of promotions, and will be treated in accordance with the EU General Data Protection Regulation (GDPR) (2016/679). 

4.6. SOCIAL NETWORKS

On our website, you will find icons for Facebook, Instagram, and YouTube. Clicking on the icons will redirect you to our profiles on the mentioned sites. These pages are used to post news and promotions. More information about data processing by social networks can be found in their individual data usage policies available for Facebook here, for Instagram here, and for YouTube here. 

4.7. PROCESSING OF PERSONAL DATA IN CREDIT AND DEBIT CARD PAYMENTS – CORVUS PAY D.O.O.

Adria Casino d.o.o., at the time of payment on the website www.senator.hr, requests data for initiating the payment process through Corvus Pay d.o.o., Buzin, Buzinski prilaz 10, the service provider for card processing and payment, a contracted partner of Adria Casino d.o.o., and the processor of personal data. 

For this purpose, the personal data of the client (name and surname, address, card details) are temporarily stored by Corvus Pay d.o.o., which stores these data in accordance with PCI DSS certification, the highest level of protection, and confidentiality. 

Adria Casino d.o.o. does not at any point possess, collect, or process personal data entered for the purpose of card processing and payment. For more details about the processing of personal data by Corvus Pay d.o.o., visit their website or click here. 

Clients are advised to protect their card data to prevent unauthorized access and misuse. 

The www.senator.hr website enables clients to pay via Corvus Wallet. Corvus Wallet is a separate payment and card data storage service owned by Corvus Pay d.o.o. To use this service, the buyer must register during the purchase process or have previously registered with Corvus Wallet. 

Adria Casino d.o.o. does not at any point possess, collect, or process personal data entered for the purpose of card processing and payment via Corvus Wallet. Information about the processing of personal data related to Corvus Wallet by Corvus Pay d.o.o. can be found on their website or click here. 

4.8. PROCESSING OF PERSONAL DATA IN THE SELF-EXCLUSION PROCESS

As a gambling organizer, we are obliged to implement player protection measures against excessive participation in gambling, in accordance with the Regulations on Organizing Games of Chance in Casinos via Interactive Sales Channels and Online Gaming, and our own principles of responsible gambling organization. More about the self-exclusion process can be read in our General Rules by clicking here. 

The legal basis for collecting data during the self-exclusion process is the legal obligation of the data controller. Data is retained for the duration of the self-exclusion period and is then appropriately deleted and destroyed. Personal data required to conduct the self-exclusion process include: 

Name and surname

Date of birth

Gender

Address of residence

Place and postal code

Contact phone

Contact email

ID card number and place of issue

Photograph

 

The self-exclusion request is made using a form prepared by the Croatian Association of Gambling Organizers. Players also have the option to revoke self-exclusion. In that case, we collect the player’s name, surname, and personal identification number (OIB). The revocation of self-exclusion is retained for the duration specified in the initial self-exclusion request. 

4.8.1. PROCESSING OF PERSONAL DATA IN THE ACCOUNT CLOSING PROCEDURE

Personal data that we process in the process of requesting account closure are first and last name, OIB and username. We request the data for the purpose of confirmation of identification, on the basis of which your request will be processed. 

4.9. DATA COLLECTED BY VISITING THE WEBSITE

Whenever you visit our website, our system automatically collects data and information from the computer system used to visit the site. The collected data relates to technical data, visit data, and cookies. The data is collected to improve the quality of service and security level. Technical data and visit data are retained for the duration of the session. The legal basis for collecting technical data and visit data is legitimate interest. 

Technical data collected includes:

IP address

Device type

Operating system

Web browser

Language settings

Screen size

Referring page

Visit time

 

Visit data collected includes:

Number of visits

Number of unique visitors

Session duration

Bounce rate

Most visited pages

Traffic sources

 

To make the visit to the website as pleasant and convenient as possible, we store small data files called cookies on your devices. They ensure the website works optimally and help display pages correctly on your device. More about cookies can be read in the Cookie Policy available on the web. 

4.10. PROCESSING OF PERSONAL DATA WHEN APPLYING FOR JOB VACANCIES

For the purposes of recruiting new employees, a job advertisement is published on the MY Job portal, the website of the Employment Office, and on the bulletin boards and web portal of the student center. Adria Casino receives applications from candidates for jobs, and for this purpose personal data of candidates voluntarily provided by the candidate in the application and CV (name, surname, date of birth, contact information, previous work experience, professional qualifications, education, photo) are processed. Data is received via the My Job portal or via e-mail ljudskipotencijali@senator.hr. After the end of the job competition, and within 30 days at the latest, all collected documentation and data are deleted and destroyed in the prescribed manner. Participation in the competition is voluntary, and the candidate’s data is processed as pre-contractual actions that precede the conclusion of an employment contract. Only authorized persons from the human resources department have access to job candidate data. 

4.11. VIDEO IDENTIFICATION

Adria Casino d.o.o. based on the Ordinance on the remote introduction of the party and the minimum conditions that must be met by the solution that determines and checks the identity of the party at a distance, conducts video identification on its online casino website. Video identification is done through the Jumio platform by uploading an image of an official ID followed by video identification of the person by collecting a facial scan to verify the match of the player’s identity. Personal data that is collected is a picture of an official personal document and a face scan, which is then linked to the player’s ID. Collected data is stored for the period prescribed by the Law on Prevention of Money Laundering and Financing of Terrorism. 

  1. PURPOSE OF COLLECTING PERSONAL DATA

Data is processed fairly and lawfully and is not collected in greater scope than necessary. Personal data of business partners, clients, etc., are collected and processed by Adria Casino d.o.o. for the purpose of concluding and fulfilling business cooperation agreements, in cases prescribed by law, and with client consent only for the purpose to which the consent relates. If the need arises to collect other personal data for a different purpose, clients will be informed in a timely manner, and their consent will be requested. 

  1. CLIENT CONSENT

Client consent is considered to be a voluntary, specific, informed, and unambiguous expression of the client’s wish, through which the client gives permission for the processing of personal data for certain purposes (e.g., a specific promotion) by a clear statement or affirmative action. 

Clients manage their expressions of will and consents based on their needs and interests. Therefore, they can withdraw their consent at any time, in a simple and free manner, either personally at the business unit where the consent was given or via the email designated for data protection. 

  1. PUBLICATION OF CLIENT PHOTOS ON OFFICIAL PROCESSOR’S WEBSITE (WWW.SENATOR.HR) AND OFFICIAL FACEBOOK PROFILE (SENATOR AUTOMAT CLUBS CROATIA)

Adria Casino d.o.o. informs all its clients that during any promotional event or celebration such as birthdays held within individual automatic clubs, there is a photographer present who captures the event. Clients have the option to inform the manager of the automatic club on-site if they do not wish to be photographed and subsequently published on the official website and official Facebook profile. If they fail to inform the club manager about their preference not to be photographed and their photo is published, they can contact the Data Protection Officer via email at zastitapodataka@senator.hr, and the photo will be promptly removed. 

  1. MEASURES TO PROTECT PERSONAL DATA

In accordance with the Personal Data Protection Act, Adria Casino d.o.o. has implemented prescribed technical measures and procedures to ensure controlled access to personal data, accessible only to authorized personnel. The collection and processing of data adhere to the latest security protocols, including servers, databases, backups, firewalls, encryption, monitoring systems, and access control systems—both physical and software-supported—to safeguard against loss or misuse of personal data. 

8.1. PHYSICAL DATA PROTECTION

Adria Casino d.o.o.  ensures physical security of its premises through an alarm system and a CCTV surveillance system directly connected to security services with whom they collaborate. These security services respond either to calls or automatically to alarms triggered at their monitoring center, after which security personnel are dispatched to the site. All locations are equipped with state-of-the-art, sophisticated equipment as required by the Law on the Protection of Monetary Institutions. 

The server equipment where data is stored is housed in server rooms protected by the aforementioned security measures. Within these rooms, servers are further secured in lockable server cabinets. 

Access control measures are implemented throughout all locations where personal data is present, including electronic access systems and RFID card readers, both for general site access and specific rooms within each location. 

All locations housing personal data are equipped with fire protection measures. 

8.2. DIGITAL DATA PROTECTION

Computers/Workstations in Offices: Each user account is individually managed through Active Directory and Domain Group Policy settings. 

Computers/Workstations in Automatic Clubs: These are either physically secured within locked anti-burglary cash registers accessible only to club personnel, or digitally secured with passwords. 

Protection includes systems to prevent viruses, malicious applications, scripts, and unauthorized software components from executing, transmitting, or being received. 

Regular backups are performed on all critical business systems as required by law and business needs. 

Computer access to all systems is restricted in multiple ways, including limiting access rights at the user account level. Database access is restricted to authorized personnel only, protecting systems from unauthorized access, installation of unwanted applications, accidental data loss, and more. 

These comprehensive physical and digital security measures ensure that Adria Casino Ltd. adheres to legal requirements and best practices in safeguarding personal data against unauthorized access, loss, or misuse. 

  1. DATA PROCESSORS

Adria Casino d.o.o., as the data controller, has entered into contracts with several data processors who comply with the GDPR and handle all personal data strictly as prescribed. These arrangements are defined in contracts or annexes concluded with each data processor. 

  1. TRANSFER OF PERSONAL DATA TO THIRD PARTIES

Adria Casino d.o.o. is obligated under legal provisions to transmit personal data collected to specific government bodies within the scope of their legal duties (e.g., Ministry of Finance, Ministry of Internal Affairs, Office for Prevention of Money Laundering and Financing of Terrorism, etc.). 

The data collected by Adria Casino d.o.o. is considered confidential business information and may only be disclosed in the aforementioned legal scenarios. 

  1. RIGHTS OF DATA SUBJECTS (RECTIFICATION, ERASURE, OBJECTION, ACCESS, RESTRICTION OF PROCESSING, DATA PORTABILITY)

According to the General Data Protection Regulation (GDPR), every client has the right to: 

Request access to personal data held by the data controller and request rectification or erasure of personal data, all in accordance with the provisions of these Rules and legal regulations. 

Request restriction of processing concerning them as a data subject, in accordance with the provisions of these Rules and legal regulations. 

Object to the processing of personal data, including the use of personal data for direct marketing purposes and automated decision-making, including profiling, all in accordance with the provisions of these Rules and legal regulations. 

Request data portability of personal data concerning them, in accordance with the provisions of these Rules and legal regulations. 

Withdraw consent for the processing of personal data at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. 

Requests to exercise these rights can be submitted in one of the following ways: 

By email to: zastitapodataka@senator.hr

By sending a request by mail to: Adria Casino d.o.o., Dubečka 1, 10000 Zagreb

By filling out the online form available on the company’s website and sending it to zastitapodataka@senator.hr

By calling the telephone number: 01/2922 390

 

For identification purposes, the request should minimally include:

Personal information of the requester

The specific right the requester wishes to exercise

 The Data Protection Officer processes the received request immediately upon receipt, if possible. If further clarification is needed to process the request, the Data Protection Officer will forward the request to the appropriate competent persons for detailed response, and will respond to the requester based on the received information. 

The response to the request is provided in the same format in which the request was received, unless the client has requested otherwise. 

Upon receipt of the request, the Data Protection Officer responds without undue delay and no later than within one month from the receipt of the request. Exceptionally, this period may be extended by an additional two months due to the complexity of the received request, of which the requester will be notified within one month. The notification will state the new deadline for response and the reasons for the extension. 

If the Data Protection Officer does not act on the request of the requester, they are obliged, without delay and no later than within 30 days from receipt of the request, to inform the requester of the reasons for not acting and the possibility of lodging a complaint with the supervisory authority. 

If the requester is not satisfied with the response, they have the right to lodge a complaint at any time with the Croatian Personal Data Protection Agency, Selska cesta 136, 10000 Zagreb. Complaints can be submitted in person, by post, or by email to: azop@azop.hr. 

It is emphasized that in accordance with our obligations under the GDPR, we must retain in our records all responses to requests from data subjects. Data from the email through which you sent us the inquiry (such as your email address, name, and surname) will be processed until the process related to the request for exercising the rights of data subjects is completed, and thereafter as long as there is a need to fulfill the purpose for which this data was collected (up to 5 years from the resolution of the request/inquiry). Responses to requests related to privacy and personal data protection rights are kept for the purpose of demonstrating that we have responded to them.