Adria Casino d.o.o. from Zagreb, Dubečka 1, OIB: 90180501899, on October 5, 2020. brings the next
PRIVACY RULES
INTRODUCTION
Adria Casino d.o.o., located at Dubečka 1, Zagreb, OIB 90180501899 (hereinafter referred to as Adria Casino d.o.o.), pays particular attention to the protection of personal data and privacy (hereinafter referred to as privacy protection) of its clients, suppliers, employees, and other entities with whom it interacts (hereinafter referred to as clients), in accordance with applicable regulations and best European practices (EU Regulation 2016/679, European Parliament). The protection of our clients’ privacy is an integral part of our services and business practices.
With our Privacy Policy, we aim to provide clear information about the processing and protection of personal data handled by Adria Casino d.o.o., and to enable clients to easily monitor and manage their personal data and consents.
This Privacy Policy has been in effect since October 5, 2020, and it describes the personal data collected by Adria Casino d.o.o., how it processes this data, the purposes for which it is used, the duration and manner of its storage, as well as the rights of clients related to their personal data.
Data Controller:
ADRIA CASINO d.o.o., Dubečka 1, Zagreb, OIB: 90180501899
Email: zastitapodataka@senator.hr
Phone: 01/2922 390
Data Protection Officer:
Email: zastitapodataka@senator.hr
Phone: 01/2922 390
The Privacy Policy applies to all personal data collected, used, or otherwise processed by Adria Casino d.o.o., either directly or through its partners. A personal data refers to any information relating to an identified or identifiable natural person, directly or indirectly.
Data processing encompasses any operation performed on personal data, such as collection, recording, storage, use, transfer, access to personal data, etc.
Adria Casino d.o.o. is the data controller concerning the personal data of its clients in accordance with the applicable personal data protection regulations.
The Privacy Policy applies to all natural persons who engage with Adria Casino d.o.o. in any capacity.
2.1. TRUST
Adria Casino d.o.o. aims to be completely transparent and clear regarding the processing of clients’ personal data, which is the purpose of this Privacy Policy, and to have a relationship with its clients based on trust.
2.2. LAWFULNESS OF DATA PROCESSING
Adria Casino d.o.o. processes personal data in accordance with the law.
2.3. LIMITED PURPOSE OF PROCESSING
Adria Casino d.o.o. collects and processes personal data only for a specific and lawful purpose and further processes it only in a manner consistent with the purpose for which it was collected.
2.4. DATA MINIMIZATION
We always use only the client data that is appropriate and necessary to achieve a specific lawful purpose, and not more than that.
2.5. INTEGRITY AND CONFIDENTIALITY
Personal data is processed securely, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage (access to personal data is restricted to authorized personnel who need it to perform their job, but not to other employees).
2.6. QUALITY OF PERSONAL DATA
We attach great importance to the personal data we process. The personal data we process must be accurate, complete, and up-to-date, and it is important that clients notify us of any changes to their data immediately or as soon as possible. Adria Casino d.o.o. is not and cannot be responsible for data provided by clients that is later changed without notification.
2.7. LIMITED STORAGE PERIOD
We collect, store, and process personal data for as long as prescribed by the law on which the obligation to collect personal data is based, as long as determined by consent, which clients are informed about when signing the consent, and as long as necessary to achieve a legitimate purpose.
Adria Casino d.o.o. collects personal data directly from clients. There is a legal basis for each personal data processing. The legal bases for processing personal data are: legal obligation of the data controller, processing necessary for the performance of a contract, client consent, and legitimate interest. In accordance with the Regulation, when processing personal data based on legitimate interest, we conduct a legitimacy test.
Below is a list of the personal data we collect, the legal basis on which we collect it, and the duration for which we store it.
4.1. CONTRACTUAL DATA
For the purposes of contract execution, intent to enter into a contract, business negotiations, and similar activities, Adria Casino d.o.o. may collect the following personal data:
Name and surname of the representatives of trading companies or property owners, etc.
OIB (personal identification number)
Residence
Email address
Property ownership details
Bank account number
These data are stored for the period prescribed by the relevant law depending on the type of contract concluded, the period necessary for contract execution, and are deleted after this period. In case a client refuses to provide some of the requested data necessary for contract execution, Adria Casino d.o.o. reserves the right to refuse to enter into a business relationship with the client.
4.2. PERSONAL DATA COLLECTED IN ONLINE GAMBLING
The legal basis for collecting data in online gambling is the legal obligation of the data controller. We are required to collect data based on the Law on Games of Chance, the Regulations on Organizing Games of Chance in Casinos through Interactive Sales Channels Online Gaming, and the Law on the Prevention of Money Laundering and Financing of Terrorism. The data we collect includes:
Password
Username
First name
Last name
Residential address
OIB (personal identification number)
Mobile phone number
Date of birth (day, month, year)
Gender
Bank account number (IBAN)
Type of identification document
Identification document number
Expiry date of identification document (day, month, year)
Issuer of identification document
Country of issuance of identification document
Scan or image of identification document
Nationality
Data on political exposure
Nature of exposure
Type of public office
Source of assets
These data are stored for a minimum of 10 years as prescribed by the Law on the Prevention of Money Laundering and Financing of Terrorism. The data mentioned are collected based on legal requirements, and if a client refuses to provide the specified personal data, they will not be able to use the services of Adria Casino d.o.o. nor participate in games of chance.
4.2.1. AUTOMATIC DATA PROCESSING AND ANONYMIZATION
In online gambling, Adria Casino d.o.o. applies automatic data processing of client data to fulfill contract requirements.
Adria Casino d.o.o. internally processes personal data necessary for the normal functioning of the online and interactive gambling systems. Personal data is anonymized, and in daily operations, all client data is processed anonymously.
Data processing aims to organize games of chance and perform specific data analysis to improve business operations, enhance service quality and levels, and increase client satisfaction. The data is not used for purposes not specified in this policy.
Access to personal data is only possible through direct access to the database and logs by an authorized administrator or specially authorized employees. Every access is logged. The purpose of accessing data is to ensure technical correctness and not to view personal data.
4.3. VIDEO SURVEILLANCE
The legal basis for processing personal data in the case of video surveillance in slot machine clubs is the legal obligation of the data controller based on the Law on the Protection of Monetary Institutions.
Adria Casino d.o.o. applies alternative methods of protecting monetary institutions in all its slot machine clubs, and in accordance with the Law on the Protection of Monetary Institutions (NN 56/15), it implements all protection measures for slot machine clubs according to the Project Documentation prepared by ADC – Alarm Reporting Center, Letovanička 22, Zagreb, for each slot machine club separately. A video surveillance system is installed inside and outside the slot machine clubs with digital video recording storage. Communication between the data controller and ADC takes place via a monitored secure line. Only authorized persons appointed by the Data Controller have access to the server and monitor for video surveillance review. Video surveillance recordings are stored in accordance with the Law on the Protection of Monetary Institutions. The retention period for video surveillance recordings from slot machine clubs is 10 days, and video surveillance recordings from the casino are stored for a minimum of 60 days, all in accordance with regulations. In the event of a legal dispute or legal proceedings, and if there is a need to retain recordings longer than prescribed, they are kept in the organizational unit until the end of the proceedings.
4.3.1. VIDEO SURVEILLANCE IN THE ADMINISTRATIVE BUILDING
The purpose of video surveillance in an office building is to protect property, employees and reduce the risk of robbery, burglary and other forms of violence, possible dangers and unauthorized access to protected premises. The legal basis for data processing in relation to the visitor is legitimate interest, and in relation to the employee it is the legal basis. It is based on our interest in securing evidence and preventing crimes. When installing video surveillance inside the administration building, all the conditions prescribed by the Law on the Implementation of the General Regulation on the Protection of Personal Data and the conditions established by the regulations governing safety at work were met. Videos are deleted after 7 working days. In the event of the need for a court dispute or legal procedure, and if there is a need to keep recordings longer than prescribed, they are kept in the organizational unit until the end of the procedure at the latest.
4.4. DATA COLLECTED IN SLOT MACHINE CLUBS AND CASINOS
The legal basis for collecting personal data in slot machine clubs and casinos is the legal obligation of the data controller. Based on the obligation to conduct a due diligence analysis of the client before entering into a business relationship as per the Anti-Money Laundering and Terrorism Financing Act (NN 108/2017), we are required to collect the following personal data:
For a natural person, attorney, legal representative: name and surname, residence, date of birth, identification number, type and number of identification document, issuing country, and citizenship(s).
For the natural person for whom the transaction is intended: name and surname, residence, and identification number if available.
For a craft and other independent activities: name, headquarters (street and house number, place, and country), identification number of the craft and the person conducting the activity, and the same for the intended transaction if available.
For the real owner of the client: name and surname, country of residence, date of birth, and citizenship(s).
Information about the purpose and nature of the business relationship, including information about the client’s activities.
Date and time of establishing the business relationship.
Date and time of the transaction, amount, and currency, method of transaction, and if there is a high risk of money laundering or terrorism financing, the purpose of the transaction.
Source of funds involved in the business relationship or transaction.
Other transaction-related data as per Articles 20, 56, and 57 of the Anti-Money Laundering and Terrorism Financing Act.
These data are retained for 10 years from the date of termination of the business relationship, as mandated by the Anti-Money Laundering and Terrorism Financing Act.
4.5. DATA COLLECTED FOR MARKETING PURPOSES
The legal basis for collecting data for marketing purposes is consent. Adria Casino d.o.o. uses data for marketing purposes, such as creating a database in the CRM application through which clients utilize various benefits. Personal data used for marketing purposes collected during the calendar year are deleted on January 2 of the following year. Data collected for marketing purposes via consent include:
Name and surname
Personal identification number (OIB)
ID card number
Date of birth
Email address
4.5.1. SENATOR HIT THE JACKPOT APPLICATION
When downloading vouchers in the Senator Hit the Jackpot application, it is necessary to enter personal data: nickname, name and surname, date of birth, and ID card number. By entering personal data and downloading the voucher, you give your explicit consent for the collection and processing of your personal data made available to us.
The personal data collected through the Senator Hit the Jackpot application will be used exclusively for marketing purposes, to measure the success of promotions, and will be treated in accordance with the EU General Data Protection Regulation (GDPR) (2016/679).
4.6. SOCIAL NETWORKS
On our website, you will find icons for Facebook, Instagram, and YouTube. Clicking on the icons will redirect you to our profiles on the mentioned sites. These pages are used to post news and promotions. More information about data processing by social networks can be found in their individual data usage policies available for Facebook here, for Instagram here, and for YouTube here.
4.7. PROCESSING OF PERSONAL DATA IN CREDIT AND DEBIT CARD PAYMENTS – CORVUS PAY D.O.O.
Adria Casino d.o.o., at the time of payment on the website www.senator.hr, requests data for initiating the payment process through Corvus Pay d.o.o., Buzin, Buzinski prilaz 10, the service provider for card processing and payment, a contracted partner of Adria Casino d.o.o., and the processor of personal data.
For this purpose, the personal data of the client (name and surname, address, card details) are temporarily stored by Corvus Pay d.o.o., which stores these data in accordance with PCI DSS certification, the highest level of protection, and confidentiality.
Adria Casino d.o.o. does not at any point possess, collect, or process personal data entered for the purpose of card processing and payment. For more details about the processing of personal data by Corvus Pay d.o.o., visit their website or click here.
Clients are advised to protect their card data to prevent unauthorized access and misuse.
The www.senator.hr website enables clients to pay via Corvus Wallet. Corvus Wallet is a separate payment and card data storage service owned by Corvus Pay d.o.o. To use this service, the buyer must register during the purchase process or have previously registered with Corvus Wallet.
Adria Casino d.o.o. does not at any point possess, collect, or process personal data entered for the purpose of card processing and payment via Corvus Wallet. Information about the processing of personal data related to Corvus Wallet by Corvus Pay d.o.o. can be found on their website or click here.
4.8. PROCESSING OF PERSONAL DATA IN THE SELF-EXCLUSION PROCESS
As a gambling organizer, we are obliged to implement player protection measures against excessive participation in gambling, in accordance with the Regulations on Organizing Games of Chance in Casinos via Interactive Sales Channels and Online Gaming, and our own principles of responsible gambling organization. More about the self-exclusion process can be read in our General Rules by clicking here.
The legal basis for collecting data during the self-exclusion process is the legal obligation of the data controller. Data is retained for the duration of the self-exclusion period and is then appropriately deleted and destroyed. Personal data required to conduct the self-exclusion process include:
Name and surname
Date of birth
Gender
Address of residence
Place and postal code
Contact phone
Contact email
ID card number and place of issue
Photograph
The self-exclusion request is made using a form prepared by the Croatian Association of Gambling Organizers. Players also have the option to revoke self-exclusion. In that case, we collect the player’s name, surname, and personal identification number (OIB). The revocation of self-exclusion is retained for the duration specified in the initial self-exclusion request.
4.8.1. PROCESSING OF PERSONAL DATA IN THE ACCOUNT CLOSING PROCEDURE
Personal data that we process in the process of requesting account closure are first and last name, OIB and username. We request the data for the purpose of confirmation of identification, on the basis of which your request will be processed.
4.9. DATA COLLECTED BY VISITING THE WEBSITE
Whenever you visit our website, our system automatically collects data and information from the computer system used to visit the site. The collected data relates to technical data, visit data, and cookies. The data is collected to improve the quality of service and security level. Technical data and visit data are retained for the duration of the session. The legal basis for collecting technical data and visit data is legitimate interest.
Technical data collected includes:
IP address
Device type
Operating system
Web browser
Language settings
Screen size
Referring page
Visit time
Visit data collected includes:
Number of visits
Number of unique visitors
Session duration
Bounce rate
Most visited pages
Traffic sources
To make the visit to the website as pleasant and convenient as possible, we store small data files called cookies on your devices. They ensure the website works optimally and help display pages correctly on your device. More about cookies can be read in the Cookie Policy available on the web.
4.10. PROCESSING OF PERSONAL DATA WHEN APPLYING FOR JOB VACANCIES
For the purposes of recruiting new employees, a job advertisement is published on the MY Job portal, the website of the Employment Office, and on the bulletin boards and web portal of the student center. Adria Casino receives applications from candidates for jobs, and for this purpose personal data of candidates voluntarily provided by the candidate in the application and CV (name, surname, date of birth, contact information, previous work experience, professional qualifications, education, photo) are processed. Data is received via the My Job portal or via e-mail ljudskipotencijali@senator.hr. After the end of the job competition, and within 30 days at the latest, all collected documentation and data are deleted and destroyed in the prescribed manner. Participation in the competition is voluntary, and the candidate’s data is processed as pre-contractual actions that precede the conclusion of an employment contract. Only authorized persons from the human resources department have access to job candidate data.
4.11. VIDEO IDENTIFICATION
Adria Casino d.o.o. based on the Ordinance on the remote introduction of the party and the minimum conditions that must be met by the solution that determines and checks the identity of the party at a distance, conducts video identification on its online casino website. Video identification is done through the Jumio platform by uploading an image of an official ID followed by video identification of the person by collecting a facial scan to verify the match of the player’s identity. Personal data that is collected is a picture of an official personal document and a face scan, which is then linked to the player’s ID. Collected data is stored for the period prescribed by the Law on Prevention of Money Laundering and Financing of Terrorism.
Data is processed fairly and lawfully and is not collected in greater scope than necessary. Personal data of business partners, clients, etc., are collected and processed by Adria Casino d.o.o. for the purpose of concluding and fulfilling business cooperation agreements, in cases prescribed by law, and with client consent only for the purpose to which the consent relates. If the need arises to collect other personal data for a different purpose, clients will be informed in a timely manner, and their consent will be requested.
Client consent is considered to be a voluntary, specific, informed, and unambiguous expression of the client’s wish, through which the client gives permission for the processing of personal data for certain purposes (e.g., a specific promotion) by a clear statement or affirmative action.
Clients manage their expressions of will and consents based on their needs and interests. Therefore, they can withdraw their consent at any time, in a simple and free manner, either personally at the business unit where the consent was given or via the email designated for data protection.
Adria Casino d.o.o. informs all its clients that during any promotional event or celebration such as birthdays held within individual automatic clubs, there is a photographer present who captures the event. Clients have the option to inform the manager of the automatic club on-site if they do not wish to be photographed and subsequently published on the official website and official Facebook profile. If they fail to inform the club manager about their preference not to be photographed and their photo is published, they can contact the Data Protection Officer via email at zastitapodataka@senator.hr, and the photo will be promptly removed.
In accordance with the Personal Data Protection Act, Adria Casino d.o.o. has implemented prescribed technical measures and procedures to ensure controlled access to personal data, accessible only to authorized personnel. The collection and processing of data adhere to the latest security protocols, including servers, databases, backups, firewalls, encryption, monitoring systems, and access control systems—both physical and software-supported—to safeguard against loss or misuse of personal data.
8.1. PHYSICAL DATA PROTECTION
Adria Casino d.o.o. ensures physical security of its premises through an alarm system and a CCTV surveillance system directly connected to security services with whom they collaborate. These security services respond either to calls or automatically to alarms triggered at their monitoring center, after which security personnel are dispatched to the site. All locations are equipped with state-of-the-art, sophisticated equipment as required by the Law on the Protection of Monetary Institutions.
The server equipment where data is stored is housed in server rooms protected by the aforementioned security measures. Within these rooms, servers are further secured in lockable server cabinets.
Access control measures are implemented throughout all locations where personal data is present, including electronic access systems and RFID card readers, both for general site access and specific rooms within each location.
All locations housing personal data are equipped with fire protection measures.
8.2. DIGITAL DATA PROTECTION
Computers/Workstations in Offices: Each user account is individually managed through Active Directory and Domain Group Policy settings.
Computers/Workstations in Automatic Clubs: These are either physically secured within locked anti-burglary cash registers accessible only to club personnel, or digitally secured with passwords.
Protection includes systems to prevent viruses, malicious applications, scripts, and unauthorized software components from executing, transmitting, or being received.
Regular backups are performed on all critical business systems as required by law and business needs.
Computer access to all systems is restricted in multiple ways, including limiting access rights at the user account level. Database access is restricted to authorized personnel only, protecting systems from unauthorized access, installation of unwanted applications, accidental data loss, and more.
These comprehensive physical and digital security measures ensure that Adria Casino Ltd. adheres to legal requirements and best practices in safeguarding personal data against unauthorized access, loss, or misuse.
Adria Casino d.o.o., as the data controller, has entered into contracts with several data processors who comply with the GDPR and handle all personal data strictly as prescribed. These arrangements are defined in contracts or annexes concluded with each data processor.
Adria Casino d.o.o. is obligated under legal provisions to transmit personal data collected to specific government bodies within the scope of their legal duties (e.g., Ministry of Finance, Ministry of Internal Affairs, Office for Prevention of Money Laundering and Financing of Terrorism, etc.).
The data collected by Adria Casino d.o.o. is considered confidential business information and may only be disclosed in the aforementioned legal scenarios.
According to the General Data Protection Regulation (GDPR), every client has the right to:
Request access to personal data held by the data controller and request rectification or erasure of personal data, all in accordance with the provisions of these Rules and legal regulations.
Request restriction of processing concerning them as a data subject, in accordance with the provisions of these Rules and legal regulations.
Object to the processing of personal data, including the use of personal data for direct marketing purposes and automated decision-making, including profiling, all in accordance with the provisions of these Rules and legal regulations.
Request data portability of personal data concerning them, in accordance with the provisions of these Rules and legal regulations.
Withdraw consent for the processing of personal data at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Requests to exercise these rights can be submitted in one of the following ways:
By email to: zastitapodataka@senator.hr
By sending a request by mail to: Adria Casino d.o.o., Dubečka 1, 10000 Zagreb
By filling out the online form available on the company’s website and sending it to zastitapodataka@senator.hr
By calling the telephone number: 01/2922 390
For identification purposes, the request should minimally include:
Personal information of the requester
The specific right the requester wishes to exercise
The Data Protection Officer processes the received request immediately upon receipt, if possible. If further clarification is needed to process the request, the Data Protection Officer will forward the request to the appropriate competent persons for detailed response, and will respond to the requester based on the received information.
The response to the request is provided in the same format in which the request was received, unless the client has requested otherwise.
Upon receipt of the request, the Data Protection Officer responds without undue delay and no later than within one month from the receipt of the request. Exceptionally, this period may be extended by an additional two months due to the complexity of the received request, of which the requester will be notified within one month. The notification will state the new deadline for response and the reasons for the extension.
If the Data Protection Officer does not act on the request of the requester, they are obliged, without delay and no later than within 30 days from receipt of the request, to inform the requester of the reasons for not acting and the possibility of lodging a complaint with the supervisory authority.
If the requester is not satisfied with the response, they have the right to lodge a complaint at any time with the Croatian Personal Data Protection Agency, Selska cesta 136, 10000 Zagreb. Complaints can be submitted in person, by post, or by email to: azop@azop.hr.
It is emphasized that in accordance with our obligations under the GDPR, we must retain in our records all responses to requests from data subjects. Data from the email through which you sent us the inquiry (such as your email address, name, and surname) will be processed until the process related to the request for exercising the rights of data subjects is completed, and thereafter as long as there is a need to fulfill the purpose for which this data was collected (up to 5 years from the resolution of the request/inquiry). Responses to requests related to privacy and personal data protection rights are kept for the purpose of demonstrating that we have responded to them.