Processing of Personal Data

Privacy Notice regarding the processing of personal data of OlyBet AutomatKlub users

1. General provisions

1.1. This Privacy Notice applies to the processing of personal data of users at OlyBet AutomatKlub operated by International Evona d.o.o. (hereinafter: OLYBET).

1.2. The controller of your personal data is the company International Evona d.o.o., with its registered office at Koledovčina 1, 10 000 Zagreb, Croatia, OIB: 76118645526, email: info-evona@oc.eu.

1.3. The contact details of the Data Protection Officer of OLYBET are as follows: zastita.podataka@oc.eu, address: Koledovčina 1, 10 000 Zagreb, Croatia.

1.4. OLYBET implements all necessary technical and organisational measures to protect personal data against unauthorised access, unlawful disclosure, accidental loss, alteration, destruction, or other unlawful processing. We also require our business partners, to whom we transfer personal data in accordance with this Privacy Notice, to implement the necessary organisational, physical, and IT security measures. However, please note that even with all technical and organisational measures applied, certain risks still exist, such as cyber-attacks, power outages, software errors, or malicious actions by individuals. Upon discovering such a breach, we will take all reasonable steps to mitigate and minimise the risk to our clients.

1.5. Provisions on the processing of personal data may also be included in contracts between users and OLYBET. In such cases, in the event of a conflict between different provisions, the provisions stipulated in the contract shall prevail.

1.6. If OLYBET amends this Privacy Notice, it will promptly publish the updated version on its website olybetautomatklub.hr.

2. User rights related to the processing of their personal data

2.1. The user has the right to be informed whether OLYBET processes their personal data and, if so, has the right to request and receive a copy of such data.

2.2. The user has the right to request the correction of inaccurate personal data relating to them.

2.3. The user has the right to withdraw their consent for the processing of personal data at any time (e.g. consent for direct marketing), if the processing is based on consent. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

2.4. The user has the right to request the erasure of their personal data. OLYBET may erase data processed on the basis of consent or legitimate interest if OLYBET’s interests do not override the interests of the user. The right to erasure does not apply to data processed for the fulfilment of legal or contractual obligations for as long as such obligations are in force.

2.5. The user has the right to object to the processing of their personal data (in particular when based on legitimate interest) and to restrict the processing of their personal data in justified cases.

2.6. The user has the right to receive their personal data, which they have provided on the basis of consent or contract performance, in a structured and machine-readable format (where technically feasible) for transfer to other companies.

2.7. The user has the right to lodge a complaint regarding the processing of personal data with the Croatian Personal Data Protection Agency (AZOP) at the following contact details: Ulica Metela Ožegovića 16, 10 000 Zagreb, email: azop@azop.hr.

3. Processed personal data and their sources

3.1. OLYBET processes the following personal data of users:

3.1.1. Identity verification data: type of identification document, document number, date of issue and validity, result of verification of personal data against the self-exclusion list for gambling, list of sanctioned persons, country of residence, without any data storage, only real-time and automatic verification.

3.1.2. SPNFT (AML) data: country of residence, politically exposed person data, source and origin of funds, details of cash transactions above €2,000 (time, location, amount, description).

3.1.3. Club Rewards Card data: club rewards card number, date of issuance.

3.1.4. Gambling data: name of the gambling venue, type and number of gaming device, start and end time of gambling activity, details of funds wagered during play, wager amount and game result.

3.1.5. Marketing and communication data: email and/or mobile phone number, communication language, product/service preferences, consent for direct marketing, message content, date and time of message.

3.1.6. Visual data: visual image of the person, club name, camera number, date and time.

3.1.7. Cookie data: OlyBet uses cookies on its websites to optimise the pages and their functionality. Some cookies may collect personal data. For more information, please refer to the OlyBet Cookie Policy at olybetautomatklub.hr.

3.2. For the purpose of complying with obligations arising from regulations governing our business, in particular the Anti-Money Laundering and Counter-Terrorism Financing Act, the Games of Chance Act, the Foreign Exchange Act, the Accounting Act, or the General Tax Act, we process the following personal data: first name, last name, residential address, date of birth, identification number (OIB), citizenship, type of identification document, issuing country of the identification document, identification document number, issuing authority, transaction date and time, transaction amount and currency, transaction purpose in case of high risk of money laundering or terrorist financing, and video surveillance recordings. Processing is carried out for the fulfilment of legal obligations. Personal data will be processed for the duration prescribed by law.

3.3. For the purpose of promoting our products and services, if you have given your consent, we may contact you via email or telephone (mobile phone number). You have the right at any time to object to receiving promotional materials (including removal of your name from marketing lists). Your contact data will be processed for the duration of the contractual relationship, unless you object to receiving promotional materials.

3.4. For the purpose of fulfilling legal obligations, security purposes, and protection of our property, we may process video recordings captured in our premises. This processing is based on the Act on the Protection of Financial Institutions, and personal data will be processed only for the duration strictly necessary to fulfil the purpose, usually no longer than several weeks.

3.5. For the purpose of enrolling in the loyalty program (Club Rewards Card) and for the execution of the contract concluded with Club Rewards Card users, we process personal data obtained during your application for the club rewards card solely because such data is necessary for the functioning of the club rewards card. OlyBet cannot issue a Club Rewards Card if the user does not provide the data required for the application. If OlyBet is unable to process personal data related to the use of the Club Rewards Card, it will not be possible to calculate reward points or determine the Club Rewards Card tier. Users are responsible for providing accurate data, as OLYBET cannot fully provide services without it. OLYBET reserves the right, in case of doubt regarding the accuracy of the provided data and inability to verify it, not to issue a Club Rewards Card.

3.6. OLYBET does not process special categories of personal data relating to users (data revealing racial or ethnic origin, religious or philosophical beliefs, sexual life, sexual orientation, political opinions, trade union membership, health data, genetic or biometric data).

3.7. Depending on the purpose and nature of processing, OLYBET collects personal data from users, publicly available sources, and third parties such as public authorities, national databases, banks, and Acuris Risk Intelligence LTD, which acts as an intermediary for politically exposed persons and sanctions databases.

4. Legal basis and purposes of processing personal data

4.1. Legal bases for processing personal data are: compliance with legal obligations, performance of contractual obligations, consent of the data subject, and legitimate interest of OLYBET.

4.2. Purposes of processing include: user identification, registration of financial transactions, provision of gambling services, marketing of OLYBET products/services, processing user feedback, risk profiling, expansion of user base, loyalty building, resource management, improvement of gaming and website environment, monitoring workflows and staff, fraud prevention and detection, document archiving, and whistleblower reporting.

4.3.
4.3.1. For legal obligations: verification data, AML data, gambling data, visual data;
4.3.2. For contract performance: gambling data, transfer data, club rewards card data;
4.3.3. Based on consent: marketing and communication data, cookie data.

4.4. Where processing is required for legal or contractual obligations, users must provide the required data. Failure to do so will prevent OLYBET from fulfilling its obligations and limit the use of services.

4.5. When processing is based on legitimate interest, OLYBET has assessed that its interest outweighs the interests and rights of the user.

4.6. Consent may be withdrawn by contacting the Data Protection Officer (see 1.3.) or via the unsubscribe link in marketing messages.

5. Profiling and automated decision-making

5.1. Profiling is used for advertising OLYBET services/products based on visit frequency and usage.

5.2. Automated decisions are used for:
5.2.1. Generating weekly free play for club rewards card users based on turnover in the last 30 days;
5.2.2. Upgrading users to bronze, silver, and gold levels based on turnover in the previous 6 months.

6. Transfer of personal data

6.1. For the provision of services and/or for the fulfilment of its legal obligations, OLYBET uses partners as personal data processors, who process the data on the basis of and within the scope of the instructions provided by OLYBET.

6.2. During the processing of personal data, OLYBET will transfer your personal data to the following recipients: public authorities, courts, banks, auditors and legal advisors, insurance companies, analytics service providers, fraud detection and prevention service providers, user authentication service providers, archiving service providers, information transfer and communication service providers, intermediaries in databases for politically exposed persons (PEP) and sanctions screening, intermediaries in transfer services, whistleblowing reporting platform operators.

6.3. If an OLYBET partner processing data is located outside the European Union, the safeguards used for the transfer of personal data are: an adequate level of data protection in the recipient country in accordance with a decision of the European Commission, or the use of standard contractual clauses for data protection, which measures were developed by the European Commission within a cooperation agreement.

6.4. The joint controllers of users’ data are Olympic Entertainment Group AS, OB Holding 1 OÜ (both with registered office at Pronksi 19, Tallinn 10124, Estonia, 3726671250, estonia@oc.eu) and Modern Games d.o.o., with registered office at the same address as OLYBET, all of which are part of the same group as OLYBET, and with whom OLYBET processes user data for the purpose of marketing of services/products, organising joint campaigns, sending communications (including direct marketing related to OlyBet online Casino and Olybet Casino Osijek on the one hand and OLYBET on the other hand, depending on consent), determining the user’s risk profile, and managing OLYBET resources. The contractual parties have concluded an agreement for the above purposes.

6.5. Your personal data may be disclosed to trusted third parties that provide us with administrative or technical support, i.e. data processors. We may also share your personal data with public authorities or law enforcement bodies if this is necessary for the fulfilment of legal obligations, with external advisors, and with other personnel who are obliged to maintain the confidentiality of the data.

6.6. Only a limited number of our employees will have access to your personal data. Employees are obliged to maintain the confidentiality of your personal data and to comply with measures for strict protection of their confidentiality. They may handle personal data only in accordance with our explicit instructions.

7. Time limits for retention of personal data

7.1. Users’ personal data are retained until the purpose of processing has been fulfilled or until the obligations arising from applicable legal regulations have been fulfilled. We retain your personal data for as long as necessary to fulfil the purpose of the processing in question, i.e. usually for the duration of the contractual relationship, or for the period prescribed by applicable laws. In cases where we process your personal data on the basis of your consent, such personal data will be processed for the duration of your consent, which you may revoke or restrict at any time. If you do so, we will stop processing personal data for the purposes for which you revoked consent.

7.2. In accordance with gambling legislation, AML regulations and accounting regulations, OLYBET must retain identification, AML and gambling data for at least 10 years from the customer’s last business relationship. Generally, after the expiry of that period, the customer’s personal data will be deleted, unless OLYBET assesses that it has a legitimate interest to retain all or part of the data, in which case OLYBET will not retain the relevant data longer than necessary to fulfil legitimate purposes.

7.3. Video surveillance recordings will be retained for at least 14 days, but no longer than 30 days.

8. Video surveillance

8.1. OLYBET uses video surveillance for security purposes in its offices, slot clubs and gaming areas. The office entrance area, the entire customer area, the cash desk, the bar and the area in front of the entrance doors of the gaming areas are monitored by video surveillance systems.

8.2. OLYBET uses video surveillance in order to fulfil its legal obligations in ensuring the safety of visitors, employees and property, in detecting and preventing unlawful activities, and in protecting its legal rights.

8.3. Images and recordings from CCTV will be viewed exclusively by OLYBET staff responsible for surveillance. If requested by competent authorities, recordings will also be transferred to them.

9. Personal data protection measures

In order to achieve the highest possible level of protection, OLYBET has taken all necessary and currently possible technical, administrative and physical security measures.

9.1. Technical measures include the following:

  • all data collected in electronic form are stored as digital records on the company’s server located in an authorised data centre;

  • a backup is ensured for all collected data;

  • the company’s entire IT system is protected by the most modern antivirus protection that prevents unauthorised intrusions into the system;

  • two-factor authentication is used for all remote connections and is limited to senior support staff;

  • all online payments and data used for this purpose are protected by transcription technology, and the most modern secure online payment system is used.

9.2. Administrative measures include the following:

  • the right of access to personal data is granted only to an employee authorised by the company’s management;

  • all employees involved in implementing personal data protection measures are specifically trained for this;

  • organiser’s employees involved in collecting personal data have limited access to the data and are not familiar with them to an extent that would enable misuse.

9.3. Physical protection includes the following:

  • restricted access (under lock and key held only by authorised persons) and video surveillance of the premises where personal data are stored (server room);

  • full video surveillance and prevention of unauthorised access by non-employees to the company headquarters and the data centre where the above premises are located;

  • security service in all clubs;

  • security service supervising the building where the company headquarters and the data centre are located, controlling the entry of all non-employees into the building, as well as burglary and fire protection systems and services.

10. Data confidentiality

Client data of OLYBET, as well as other data that OLYBET has learned in the provision of services and in conducting business with clients, are considered a business secret and OLYBET may disclose them only in cases prescribed by law. OLYBET is obliged to forward certain personal data collected on the basis of legal obligations to certain state bodies within their legal powers, e.g.: the Ministry of Finance, the Tax Administration, the Office for the Prevention of Money Laundering, as well as other competent public authorities.

11. Exercising rights

In each of our clubs, a short instruction regarding your rights is available, as well as the “Request Form for Exercising Rights under the General Data Protection Regulation (GDPR)”, and you are free to request them from our employees.