Adria Casino d.o.o. from Zagreb, Dubečka 1, OIB: 90180501899, on October 5, 2020. brings the next

Adria Casino d.o.o., located at Dubečka 1, Zagreb, OIB 90180501899 (hereinafter referred to as Adria Casino d.o.o.), pays particular attention to the protection of personal data and privacy (hereinafter referred to as privacy protection) of its clients, suppliers, employees, and other entities with whom it interacts (hereinafter referred to as clients), in accordance with applicable regulations and best European practices (EU Regulation 2016/679, European Parliament). The protection of our clients' privacy is an integral part of our services and business practices.

With our Privacy Policy, we aim to provide clear information about the processing and protection of personal data handled by Adria Casino d.o.o., and to enable clients to easily monitor and manage their personal data and consents.

This Privacy Policy has been in effect since October 5, 2020, and it describes the personal data collected by Adria Casino d.o.o., how it processes this data, the purposes for which it is used, the duration and manner of its storage, as well as the rights of clients related to their personal data.

Controller:
ADRIA CASINO d.o.o.,
Dubečka 1, Zagreb,
VAT No.: 90180501899;
E-mail: [email protected],
Phone: 01/2922 390

Data Protection Officer:
e-mail: [email protected];
phone: 01/2922 390

The Privacy Policy applies to all personal data collected, used, or otherwise processed by Adria Casino d.o.o., either directly or through its partners. A personal data refers to any information relating to an identified or identifiable natural person, directly or indirectly.

Data processing encompasses any operation performed on personal data, such as collection, recording, storage, use, transfer, access to personal data, etc.

Adria Casino d.o.o. is the data controller concerning the personal data of its clients in accordance with the applicable personal data protection regulations.

The Privacy Policy applies to all natural persons who engage with Adria Casino d.o.o. in any capacity.

Adria Casino d.o.o. aims to be completely transparent and clear regarding the processing of clients' personal data, which is the purpose of this Privacy Policy, and to have a relationship with its clients based on trust.

Adria Casino d.o.o. processes personal data in accordance with the law.

Adria Casino d.o.o. collects and processes personal data only for a specific and lawful purpose and further processes it only in a manner consistent with the purpose for which it was collected.

We always use only the client data that is appropriate and necessary to achieve a specific lawful purpose, and not more than that.

Personal data is processed securely, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage (access to personal data is restricted to authorized personnel who need it to perform their job, but not to other employees).

We attach great importance to the personal data we process. The personal data we process must be accurate, complete, and up-to-date, and it is important that clients notify us of any changes to their data immediately or as soon as possible. Adria Casino d.o.o. is not and cannot be responsible for data provided by clients that is later changed without notification.

We collect, store, and process personal data for as long as prescribed by the law on which the obligation to collect personal data is based, as long as determined by consent, which clients are informed about when signing the consent, and as long as necessary to achieve a legitimate purpose.

Adria Casino d.o.o. collects personal data directly from clients. There is a legal basis for each personal data processing. The legal bases for processing personal data are: legal obligation of the data controller, processing necessary for the performance of a contract, client consent, and legitimate interest. In accordance with the Regulation, when processing personal data based on legitimate interest, we conduct a legitimacy test.

Below is a list of the personal data we collect, the legal basis on which we collect it, and the duration for which we store it.

For the purposes of contract execution, intent to enter into a contract, business negotiations, and similar activities, Adria Casino d.o.o. may collect the following personal data:

• Name and surname of the representatives of trading companies or property owners, etc.
• OIB (personal identification number)
• Residence
• E-mail address
• Property ownership details
• Bank account number

These data are stored for the period prescribed by the relevant law depending on the type of contract concluded, the period necessary for contract execution, and are deleted after this period. In case a client refuses to provide some of the requested data necessary for contract execution, Adria Casino d.o.o. reserves the right to refuse to enter into a business relationship with the client.

The legal basis for collecting data in online gambling is the legal obligation of the data controller. We are required to collect data based on the Law on Games of Chance, the Regulations on Organizing Games of Chance in Casinos through Interactive Sales Channels Online Gaming, and the Law on the Prevention of Money Laundering and Financing of Terrorism. The data we collect includes:

• E-mail
• Password
• Username
• First name
• Last name
• Residential address
• OIB (personal identification number)
• Mobile phone number
• Date of birth (day, month, year)
• Gender
• Bank account number (IBAN)
• Type of identification document
• Identification document number
• Expiry date of identification document (day, month, year)
• Issuer of identification document
• Country of issuance of identification document
• Scan or image of identification document
• Nationality
• Data on political exposure
• Nature of exposure
• Type of public office
• Source of assets

These data are stored for a minimum of 10 years as prescribed by the Law on the Prevention of Money Laundering and Financing of Terrorism. The data mentioned are collected based on legal requirements, and if a client refuses to provide the specified personal data, they will not be able to use the services of Adria Casino d.o.o. nor participate in games of chance.

In online gambling, Adria Casino d.o.o. applies automatic data processing of client data to fulfill contract requirements.

Adria Casino d.o.o. internally processes personal data necessary for the normal functioning of the online and interactive gambling systems. Personal data is anonymized, and in daily operations, all client data is processed anonymously..

Data processing aims to organize games of chance and perform specific data analysis to improve business operations, enhance service quality and levels, and increase client satisfaction. The data is not used for purposes not specified in this policy.

Access to personal data is only possible through direct access to the database and logs by an authorized administrator or specially authorized employees. Every access is logged. The purpose of accessing data is to ensure technical correctness and not to view personal data.

The legal basis for processing personal data in the case of video surveillance in slot machine clubs is the legal obligation of the data controller based on the Law on the Protection of Monetary Institutions.

Adria Casino d.o.o. applies alternative methods of protecting monetary institutions in all its slot machine clubs, and in accordance with the Law on the Protection of Monetary Institutions (NN 56/15), it implements all protection measures for slot machine clubs according to the Project Documentation prepared by ADC - Alarm Reporting Center, Letovanička 22, Zagreb, for each slot machine club separately. A video surveillance system is installed inside and outside the slot machine clubs with digital video recording storage. Communication between the data controller and ADC takes place via a monitored secure line. Only authorized persons appointed by the Data Controller have access to the server and monitor for video surveillance review. Video surveillance recordings are stored in accordance with the Law on the Protection of Monetary Institutions. The retention period for video surveillance recordings from slot machine clubs is 10 days, and video surveillance recordings from the casino are stored for a minimum of 60 days, all in accordance with regulations. In the event of a legal dispute or legal proceedings, and if there is a need to retain recordings longer than prescribed, they are kept in the organizational unit until the end of the proceedings.

Video recordings within the administration building are used to protect property and investigate criminal offenses, as well as to safeguard employees and visitors. The legal basis for processing data regarding visitors is legitimate interest, while for employees it is based on legal grounds. This is based on our interest in securing evidence and preventing criminal offenses. When installing video surveillance within the administration building, all conditions prescribed by the Law implementing the General Data Protection Regulation and regulations governing occupational safety are met. Video recordings are deleted after 7 working days. In case of a legal dispute or proceeding, or if there is a need to retain recordings longer than prescribed, they are kept within the organizational unit until the conclusion of the proceedings.

The legal basis for collecting personal data in slot machine clubs and casinos is the legal obligation of the data controller. Based on the obligation to conduct a due diligence analysis of the client before entering into a business relationship as per the Anti-Money Laundering and Terrorism Financing Act (NN 108/2017), we are required to collect the following personal data:

1. For a natural person, attorney, legal representative: name and surname, residence, date of birth, identification number, type and number of identification document, issuing country, and citizenship(s).
2. For the natural person for whom the transaction is intended: name and surname, residence, and identification number if available.
3. For a craft and other independent activities: name, headquarters (street and house number, place, and country), identification number of the craft and the person conducting the activity, and the same for the intended transaction if available.
4. For the real owner of the client: name and surname, country of residence, date of birth, and citizenship(s).
5. Information about the purpose and nature of the business relationship, including information about the client's activities.
6. Date and time of establishing the business relationship.
7. Date and time of the transaction, amount, and currency, method of transaction, and if there is a high risk of money laundering or terrorism financing, the purpose of the transaction.
8. Source of funds involved in the business relationship or transaction.
9. Other transaction-related data as per Articles 20, 56, and 57 of the Anti-Money Laundering and Terrorism Financing Act.

These data are retained for 10 years from the date of termination of the business relationship, as mandated by the Anti-Money Laundering and Terrorism Financing Act.

The legal basis for collecting data for marketing purposes is consent. Adria Casino d.o.o. uses data for marketing purposes, such as creating a database in the CRM application through which clients utilize various benefits. Personal data used for marketing purposes collected during the calendar year are deleted on January 2 of the following year. Data collected for marketing purposes via consent include.

• Name and surname
• Personal identification number (OIB)
• ID card number
• Date of birth
• Email address

When downloading vouchers in the Senator Hit the Jackpot application, it is necessary to enter personal data: nickname, name and surname, date of birth, and ID card number. By entering personal data and downloading the voucher, you give your explicit consent for the collection and processing of your personal data made available to us.

The personal data collected through the Senator Hit the Jackpot application will be used exclusively for marketing purposes, to measure the success of promotions, and will be treated in accordance with the EU General Data Protection Regulation (GDPR) (2016/679).

On our website, you will find icons for Facebook, Instagram, and YouTube. Clicking on the icons will redirect you to our profiles on the mentioned sites. These pages are used to post news and promotions. More information about data processing by social networks can be found in their individual data usage policies available for Facebook here, for Instagram here, and for YouTube here.

Adria Casino d.o.o., at the time of payment on the website www.senator.hr, requests data for initiating the payment process through Corvus Pay d.o.o., Buzin, Buzinski prilaz 10, the service provider for card processing and payment, a contracted partner of Adria Casino d.o.o., and the processor of personal data.

For this purpose, the personal data of the client (name and surname, address, card details) are temporarily stored by Corvus Pay d.o.o., which stores these data in accordance with PCI DSS certification, the highest level of protection, and confidentiality.

Adria Casino d.o.o. does not at any point possess, collect, or process personal data entered for the purpose of card processing and payment. For more details about the processing of personal data by Corvus Pay d.o.o., visit their website or click here.

Clients are advised to protect their card data to prevent unauthorized access and misuse.

The www.senator.hr website enables clients to pay via Corvus Wallet. Corvus Wallet is a separate payment and card data storage service owned by Corvus Pay d.o.o. To use this service, the buyer must register during the purchase process or have previously registered with Corvus Wallet.

Adria Casino d.o.o. does not at any point possess, collect, or process personal data entered for the purpose of card processing and payment via Corvus Wallet. Information about the processing of personal data related to Corvus Wallet by Corvus Pay d.o.o. can be found on their website or click here.

As a gambling organizer, we are obliged to implement player protection measures against excessive participation in gambling, in accordance with the Regulations on Organizing Games of Chance in Casinos via Interactive Sales Channels and Online Gaming, and our own principles of responsible gambling organization. More about the self-exclusion process can be read in our General Rules by clicking here.

The legal basis for collecting data during the self-exclusion process is the legal obligation of the data controller. Data is retained for the duration of the self-exclusion period and is then appropriately deleted and destroyed. Personal data required to conduct the self-exclusion process include.

• Name and surname
• Date of birth
• Gender
• Address of residence
• Place and postal code
• Contact phone
• Contact email
• ID card number and place of issue
• Photograph

The self-exclusion request is made using a form prepared by the Croatian Association of Gambling Organizers. Players also have the option to revoke self-exclusion. In that case, we collect the player's name, surname, and personal identification number (OIB). The revocation of self-exclusion is retained for the duration specified in the initial self-exclusion request.

Whenever you visit our website, our system automatically collects data and information from the computer system used to visit the site. The collected data relates to technical data, visit data, and cookies. The data is collected to improve the quality of service and security level. Technical data and visit data are retained for the duration of the session. The legal basis for collecting technical data and visit data is legitimate interest.

Technical data collected includes:

• IP address
• Device type
• Operating system
• Web browser
• Language settings
• Screen size
• Referring page
• Visit time

Visit data collected includes:

• Number of visits
• Number of unique visitors
• Session duration
• Bounce rate
• Most visited pages
• Traffic sources

To make the visit to the website as pleasant and convenient as possible, we store small data files called cookies on your devices. They ensure the website works optimally and help display pages correctly on your device. More about cookies can be read in the Cookie Policy available on the web.

For the purpose of hiring new employees, job advertisements are posted on the MojPosao portal. Adria Casino d.o.o. receives job applications from candidates, processing personal data that candidates voluntarily provide in their application and resume (name, surname, date of birth, contact details, work experience, qualifications, education, photograph). After the job competition ends, and no later than 30 days after, all collected documentation and data are deleted and destroyed in a prescribed manner. Participation in the competition is voluntary, and candidate data is processed as pre-contractual actions preceding the conclusion of an employment contract. Only authorized persons from the human resources department have access to candidate data.

Adria Casino d.o.o. receives open job applications via the email address provided on the website. For this purpose, personal data provided voluntarily by candidates in their application and resume (name, surname, date of birth, contact details, work experience, qualifications, education, photograph) are processed. Student job applications are also received through the same email for advertisements published through the Student Service. Open applications are received by a human resources department employee and appropriately archived. Only authorized persons from the human resources department have access to open job applications. Data sent through open job applications are processed based on legitimate interest solely for hiring new employees and are retained for 12 months.

Data is processed fairly and lawfully and is not collected in greater scope than necessary. Personal data of business partners, clients, etc., are collected and processed by Adria Casino d.o.o. for the purpose of concluding and fulfilling business cooperation agreements, in cases prescribed by law, and with client consent only for the purpose to which the consent relates. If the need arises to collect other personal data for a different purpose, clients will be informed in a timely manner, and their consent will be requested.

Client consent is considered to be a voluntary, specific, informed, and unambiguous expression of the client's wish, through which the client gives permission for the processing of personal data for certain purposes (e.g., a specific promotion) by a clear statement or affirmative action.

Clients manage their expressions of will and consents based on their needs and interests. Therefore, they can withdraw their consent at any time, in a simple and free manner, either personally at the business unit where the consent was given or via the email designated for data protection.

Adria Casino d.o.o. informs all its clients that during any promotional event or celebration such as birthdays held within individual automatic clubs, there is a photographer present who captures the event. Clients have the option to inform the manager of the automatic club on-site if they do not wish to be photographed and subsequently published on the official website and official Facebook profile. If they fail to inform the club manager about their preference not to be photographed and their photo is published, they can contact the Data Protection Officer via email at [email protected], and the photo will be promptly removed.

In accordance with the Personal Data Protection Act, Adria Casino d.o.o. has implemented prescribed technical measures and procedures to ensure controlled access to personal data, accessible only to authorized personnel. The collection and processing of data adhere to the latest security protocols, including servers, databases, backups, firewalls, encryption, monitoring systems, and access control systems—both physical and software-supported—to safeguard against loss or misuse of personal data.

Adria Casino d.o.o. ensures physical security of its premises through an alarm system and a CCTV surveillance system directly connected to security services with whom they collaborate. These security services respond either to calls or automatically to alarms triggered at their monitoring center, after which security personnel are dispatched to the site. All locations are equipped with state-of-the-art, sophisticated equipment as required by the Law on the Protection of Monetary Institutions.

The server equipment where data is stored is housed in server rooms protected by the aforementioned security measures. Within these rooms, servers are further secured in lockable server cabinets.

Access control measures are implemented throughout all locations where personal data is present, including electronic access systems and RFID card readers, both for general site access and specific rooms within each location.

All locations housing personal data are equipped with fire protection measures.

Computers/Workstations in Offices: Each user account is individually managed through Active Directory and Domain Group Policy settings.

Computers/Workstations in Automatic Clubs: These are either physically secured within locked anti-burglary cash registers accessible only to club personnel, or digitally secured with passwords.

Protection includes systems to prevent viruses, malicious applications, scripts, and unauthorized software components from executing, transmitting, or being received.

Regular backups are performed on all critical business systems as required by law and business needs.

Computer access to all systems is restricted in multiple ways, including limiting access rights at the user account level. Database access is restricted to authorized personnel only, protecting systems from unauthorized access, installation of unwanted applications, accidental data loss, and more.

These comprehensive physical and digital security measures ensure that Adria Casino Ltd. adheres to legal requirements and best practices in safeguarding personal data against unauthorized access, loss, or misuse.

Adria Casino d.o.o., as the data controller, has entered into contracts with several data processors who comply with the GDPR and handle all personal data strictly as prescribed. These arrangements are defined in contracts or annexes concluded with each data processor.

Adria Casino d.o.o. is obligated under legal provisions to transmit personal data collected to specific government bodies within the scope of their legal duties (e.g., Ministry of Finance, Ministry of Internal Affairs, Office for Prevention of Money Laundering and Financing of Terrorism, etc.).

The data collected by Adria Casino d.o.o. is considered confidential business information and may only be disclosed in the aforementioned legal scenarios.

According to the General Data Protection Regulation (GDPR), every client has the right to:

• Request access to personal data held by the data controller and request rectification or erasure of personal data, all in accordance with the provisions of these Rules and legal regulations.
• Request restriction of processing concerning them as a data subject, in accordance with the provisions of these Rules and legal regulations.
• Object to the processing of personal data, including the use of personal data for direct marketing purposes and automated decision-making, including profiling, all in accordance with the provisions of these Rules and legal regulations.
• Request data portability of personal data concerning them, in accordance with the provisions of these Rules and legal regulations.
• Withdraw consent for the processing of personal data at any time.

The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Requests to exercise these rights can be submitted in one of the following ways:

• By email to: [email protected]
• By sending a request by mail to:Adria Casino d.o.o. , Dubečka 1, Zagreb
• By filling out the online form available on the company's website and sending it to [email protected]
• By calling the telephone number: 01/2922 390

For identification purposes, the request should minimally include:

• Personal information of the requester
• The specific right the requester wishes to exercise

The Data Protection Officer processes the received request immediately upon receipt, if possible. If further clarification is needed to process the request, the Data Protection Officer will forward the request to the appropriate competent persons for detailed response, and will respond to the requester based on the received information.

The response to the request is provided in the same format in which the request was received, unless the client has requested otherwise

Upon receipt of the request, the Data Protection Officer responds without undue delay and no later than within one month from the receipt of the request. Exceptionally, this period may be extended by an additional two months due to the complexity of the received request, of which the requester will be notified within one month. The notification will state the new deadline for response and the reasons for the extension.

If the Data Protection Officer does not act on the request of the requester, they are obliged, without delay and no later than within 30 days from receipt of the request, to inform the requester of the reasons for not acting and the possibility of lodging a complaint with the supervisory authority.

If the requester is not satisfied with the response, they have the right to lodge a complaint at any time with the Croatian Personal Data Protection Agency, Selska cesta 136, 10000 Zagreb. Complaints can be submitted in person, by post, or by email to: [email protected].

It is emphasized that in accordance with our obligations under the GDPR, we must retain in our records all responses to requests from data subjects. Data from the email through which you sent us the inquiry (such as your email address, name, and surname) will be processed until the process related to the request for exercising the rights of data subjects is completed, and thereafter as long as there is a need to fulfill the purpose for which this data was collected (up to 5 years from the resolution of the request/inquiry). Responses to requests related to privacy and personal data protection rights are kept for the purpose of demonstrating that we have responded to them.