PRIVACY RULES

On 21 May 2018, Adria Casino d.o.o. of Dubečka 1, Zagreb, PIN: 90180501899, issues
these
PRIVACY RULES
Introduction
Adria Casino d.o.o. of Dubečka 1, Zagreb, PIN: 90180501899 (hereinafter referred to
as Adria Casino d.o.o.) is particularly committed to protecting personal data and
privacy (hereinafter referred to as privacy protection) of its customers, suppliers,
employees and other parties it may come in contact with (hereinafter referred to as
customers) in accordance with the applicable legislation and best European practices.
Protecting our customers’ privacy is an integral part of our services and how we
conduct our business.
These Privacy Rules are intended to provide clear information about the processing
and protection of personal data processed by Adria Casino d.o.o. and allow our
customers to easily monitor and manage their personal data and consents.
These Privacy Rules apply as of 25 May 2018 and describe which personal data Adria
Casino d.o.o. collects, how it processes them and for which purposes it uses them, for
how long and how it retains them, as well as customers’ rights associated with their
personal data.
Personal data controller: ADRIA CASINO d.o.o., Dubečka 1, Zagreb, PIN: 90180501899;
e mail: zastitapodataka@senator.hr, 01/2922 390

Data Protection Officer: e-mail: zastitapodataka@senator.hr; phone: 01/2922 390
1. Scope of applicability
These Privacy Rules apply to all personal data collected, used or otherwise processed
by Adria Casino d.o.o., directly or through its partners. Personal data is any data
relating to a natural person identified or directly or indirectly identifiable.
Data processing is any action taken on personal data, for example their collecting,
recording, storing, using, transferring, viewing, etc.
Adria Casino d.o.o. is the controller in relation to its customers’ personal data within
the meaning of the applicable personal data protection legislation.
These Privacy Rules pertain to all natural persons coming in contact with Adria Casino
d.o.o. in any capacity (employees, gaming club guests, suppliers…).

2. Personal data processing principles
2.1. Trust
Adria Casino d.o.o. intends to be fully transparent and clear with respect to the
processing of its customers’ personal data, which is the purpose of these Privacy
Rules, and maintain with its customers a relationship based on trust.
2.2. Lawfulness of data processing
Adria Casino d.o.o. acts in compliance with the applicable law when processing
personal data.
2.3. Limited purpose of processing
Adria Casino d.o.o. only collects and processes personal data for specific and
legitimate purposes and further processes them to meet the purpose they are
collected for.
2.4. Reduction of data amounts
We always use only such customer data that are appropriate and necessary to fulfill a
specific legitimate purpose and no other data.
2.5. Integrality and confidentiality
Personal data are processed in a secure manner, including protection against
unauthorized or illegal processing and against accidental loss, destruction or damage
(access to personal data is only allowed to authorized persons on a need-to-know
basis, exclusive of any other employees).
2.6. Quality of personal data
We treat personal data we process as highly important. Personal data we process
must be accurate, complete and up to date, so it is important that customers notify us
of any change to their data immediately or as soon as possible. Adria Casino d.o.o. is
and may not be responsible for any data provided to it by its customers that they later
change without notifying it.
2.7. Limited storage time
We only collect, store and process personal data for as long as this is necessary to
fulfill a legitimate purpose, i.e. for as long as we are required to under the applicable
legislation (operating documents are retained permanently, video recordings within a
gaming club as a monetary institution are retained for 168 hours, etc.).
3. How we collect personal data
Adria Casino d.o.o. primarily collects personal data directly from its customers (future
employees, gaming club customers, etc.). We also collect data via online portals – Moj
posao, Posao.hr.

Any collection of personal data is conditional upon the existence of relevant
legitimate interest.
4. Types of data we collect
Adria Casino d.o.o. only collects personal data based on legitimate interest, which is
either lawful grounds or customer consent. The requests we use to collect data
indicate the exact purpose they are collected for and where and for how long they are
stored.
4.1. Contractual data
For the purpose of performing or if intending to enter into a contract, business
negotiations and the like Adria Casino d.o.o. may collect the following personal data:
 Names of natural persons representing corporations or real property owners,
etc.;
 PIN:
 Residence;
 E-mail address;
 Real property ownership information; and
 Bank account information.
These data are retained for the period defined by a specific law depending on the
type of the contract, such period being necessary to perform the contract, and are
erased thereafter. In case a customer refuses to provide any requested data
necessary to perform a contract, Adria Casino d.o.o. reserves the right to refuse to
establish a business relationship with such customer.
4.2. Data collected pursuant to the Monetary Institutions Protection Act
In its gaming clubs, Adria Casino d.o.o. uses alternative methods of monetary
institution protection and implements, pursuant to the Monetary Institutions
Protection Act (Official Gazette No 56/15), all gaming club protection measures in
accordance with the Project Documentation prepared by ADC – Alarmni Dojavni
Centar, Letovanička 22, Zagreb, separately for each gaming club. Each gaming club
has an installed video surveillance system within and outside the facility, which stores
video recordings in digital format. The communication between the controller and
ADC is conducted via a controlled and secure line. Access to the server and the
monitor designed for viewing video surveillance is only allowed to authorized persons
appointed by the controller. Video surveillance recordings are retained in accordance
with the Monetary Institutions Protection Act.
4.3. Data collected pursuant to the Anti-Money Laundering and Terrorist
Financing Act
Based on our obligation to conduct customer due diligence before establishing a
business relationship, we are, pursuant to the Anti-Money Laundering and Terrorist

Financing Act (Official Gazette No 108/2017), required to collect the following
personal data:
1. For a natural person, attorney or legal representative: full name, residence, day,
month and year of birth, identification number, name and number of the identity
document, issuer’s name and country, and nationality(ies);
2. For a natural person for whom the transaction is intended: full name, residence
and the natural person’s identification number, if any;
3. For a craft business or any other independent undertaking:
a) name, registered office (street and building number, town/city and country) and
identification number of the craft business or person engaged in any other
independent undertaking where a business relationship is being established or a
transaction is being executed for such craft business’s or other independent
undertaking’s business purposes; and
b) name, registered office (street and building number, town/city and country) of the
craft business or person engaged in any other independent undertaking for
which/whom a transaction is intended and the identification number of the craft
business or person engaged in any other independent undertaking, if any.
4. For a customer’s beneficial owner: full name, country of residence, day, month and
year of birth, and nationality(ies);
5. Data about the purpose and the intended nature of the business relationship,
including information about the customer’s business activities;
6. Date and time of establishing the business relationship;
7. Date and time of transaction execution, transaction amount and currency,
transaction execution method and, if an obliged entity finds the money laundering or
terrorist financing risk to be high based on a risk assessment conducted in accordance
with the provisions of this Act and the secondary legislation enacted pursuant
thereto, the purpose of the transaction;
8. Data about the source of the funds which are or will be the subject of a business
relationship;
9. Data about the source of the funds which are or will be the subject of a transaction;
10. Any other data about transactions, funds and persons in accordance with Article
20, in conjunction with Articles 56 and 57 of the Anti-Money Laundering and Terrorist
Financing Act.
Such data are retained for 10 years following the termination date of the business
relationship, which period is defined by the Anti-Money Laundering and Terrorist
Financing Act.
4.4. Data collected for marketing purposes
Adria Casino d.o.o. only collects data it uses for marketing purposes, such as creating
a database in its CRM application which customers use to obtain various benefits, on
the basis of consent given by the individual whose data are being collected.

If it becomes necessary to collect other personal data or if new legitimate interest
arises based on which Adria Casino d.o.o. should collect personal data, it shall
supplement these Privacy Rules and publish them on its website.
5. The purposes for which we collect personal data
Data are processed in a fair and lawful manner, to the extent necessary. Adria Casino
d.o.o. collects and processes personal data of its business partners, customers and
the like for the purpose of entering into and performing a business cooperation
contract, in cases defined by law, and subject to customer consent, exclusively for the
purpose such consent is given for.
6. Customer consent
Customer consent is customer’s voluntary, specific, informed and unambiguous
expression of desire whereby a customer makes a clear statement or takes a
confirmatory action to indicate his agreement to the processing of his personal data
for specific purposes (e.g. a specific promotion).
The customer may manage his expressions of his intentions and his consents based
on his needs and interests, so he may deny his consent at any time, easily and free of
charge, personally within the business unit where he gave his consent or by an e-mail
sent to the address dedicated to data protection.
7. Posting customers’ photographs on controller’s official website
(www.senator.hr) and official Facebook profile (Senator automat klubovi
Hrvatska)

Adria Casino d.o.o. notifies its customers that it has a photographer who takes
photographs of each promotion event, birthday party, etc. within each gaming club
and that they may tell the gaming club manager directly if they prefer not to be
photographed and posted on the official website and official Facebook profile. If a
customer fails to tell the gaming club manager that he prefers not to be
photographed, he may contact our Data Protection Officer at
zastitapodataka@senator.hr and such photograph shall be removed as soon as
practicable.
8. Personal data protection measures
The required technical measures and procedures have been undertaken and access to
personal data is controlled and only allowed to authorized persons in accordance with
the Personal Data Protection Act. The latest security procedures are used for data
collection and processing, including servers, databases, backup, firewalls, encryption,
surveillance systems and physical and software-based access control to provide
protection against loss or abuse of personal data.

8.1. Physical security of data
 The company premises are protected by an alarm system and a video
surveillance system directly connected to the security firms we cooperate
with, which respond based on our call or an automated alarm that goes off in
their alarm centers, after which security guards visit the relevant location. All
our sites are equipped with state-of-the-art sophisticated equipment defined
by the Monetary Institutions Protection Act;
 The server equipment used to store data is contained in server rooms
protected as described above and additionally within locked server cabinets
inside such server rooms;
 Each site where personal data are kept uses access control based on
electronic inlets and RfID card readers, both at the site and in each room
within the site;
 Each site where personal data are kept is secured by fire protection measures.
8.2. Digital protection of data
 Computers/workstations in offices – the Active Directory and Domain or
Group Policy separately define the terms for each user account;
 Computers/workstations within gaming clubs are either physically secured
inside an anti-burglary cash register which is locked and may only be accessed
by gaming club employees or digitally by a password;
 Mobile devices are protected by mandatory password-based phone locking.
Our security includes systems for the prevention of viruses and other malware, scripts
and code parts, sending and receiving of such applications, etc.
Backup is performed on a regular basis on all systems relevant to business and where
legally prescribed.
Computer access to any system is restricted in several ways. The security methods
used include but are not limited to the restriction of access rights on the user account
level and to allowing access to databases to authorized persons only. This helps
protect our systems against unauthorized access, installation of unwanted
applications, deliberate causing of data loss, etc.
9. Personal data processors
As the personal data controller, Adria Casino d.o.o. has contracts in place with several
processors that act in compliance with the Regulation and treat all personal data
exactly as prescribed therein and defined by the contracts we have in place with them
and the relevant annexes thereto.
The processors Adria Casino d.o.o. deals with are:
 ADC – Alarmni Dojavni Sustav d.o.o., Letovanička 22, Zagreb;
 Micro World d.o.o., Vrbje 5, Zagreb;
 Integrirani poslovni sustavi d.o.o., Mokrice 100, Oroslavlje; and
 Net plus d.o.o., N.Tavelića 17, Htašćica, Varaždin.
10. Transferring personal data to third parties
Adria Casino d.o.o. is required to forward all personal data it collects pursuant to the
applicable legislation to the relevant authorities within the scope of their statutory
activities (Ministry of Finance, Ministry of the Interior, Anti-Money Laundering and
Terrorist Financing Office, etc.).
All data collected by Adria Casino d.o.o. are treated as confidential information and
may only be disclosed in the cases provided for by the law.
11. Subject rights (rectification, erasure, objection, access, restriction of processing,
transferability)

Pursuant to the General Data Protection Regulation, each customer is allowed to:
1) request from the controller access to his personal data and to rectify or erase such
personal data in accordance with the provisions of these Rules and the relevant
statutory provisions;
2) request from the controller to restrict the processing of data relating to him as a
subject in accordance with the provisions of these Rules and the relevant statutory
provisions;
3) object to the processing of his personal data, including the use of personal data for
direct marketing and automated decision-making purposes, including profiling, in
accordance with the provisions of these Rules and the relevant statutory provisions;
4) request from the controller to transfer any personal data relating to him in
accordance with the provisions of these Rules and the relevant statutory provisions;
and
5) withdraw his consent to the processing of his personal data at any time.
Such withdrawal of customer’s consent shall not affect the lawfulness of the
processing of his personal data collected based on his consent before its withdrawal.
In case a customer has any questions or complaints or wishes to submit a request or
exercise his rights in connection with the protection of any personal data specified in
the Regulation or in the preceding section, he may contact our Data Protection
Officer or controller electronically at zastitapodataka@senator.hr or in writing at:
Adria Casino d.o.o., Dubečka 1, Zagreb.
You may at any time contact us and view, alter or modify/rectify such data in
accordance with your rights under the applicable laws.
The customer may at any time submit a complaint to the personal data protection
supervisory authority:
Personal Data Protection Agency
Martićeva ulica 14, 10000 ZAGREB