Processing of personal data
Olympic Casino Customer Privacy Notice
Valid from: 06.11.2024
1. GENERAL
1.1. This notice explains the processing of customers’ personal data in gaming venues operated by Olympic Entertainment Group AS and the rights of customers and visitors of this website in relation to the processing of personal data.
1.2. The data controller is Olympic Entertainment Group AS (hereinafter referred to as “Olympic Casino”), Pronksi 19, Tallinn 10124, Estonia, +3726671250, estonia@oc.eu.
1.3. The contact details of Olympic Casino’s Data Protection Officer are DataProtectionOfficerEstonia@oc.eu, Pronksi 19, Tallinn 10124, Estonia.
1.4. Olympic Casino implements appropriate technical and organisational measures to protect personal data from unauthorised access, unlawful disclosure, accidental loss, alteration, destruction or other unlawful processing. We also require our cooperation partners, to whom we transfer personal data in accordance with this Privacy Notice, to implement the necessary organisational, physical and IT security measures. However, please note that even by using all technical and organisational measures to protect personal data, some risks, such as human error, cyber-attack, loss of electricity, software error or malicious actions of an individual, still remain. Upon discovering such breach, we shall take all reasonable steps to mitigate and minimise the risk to our customers.
1.5. Provisions on the processing of personal data may also be included in contracts between the customer and Olympic Casino. In such a case, in the event of a conflict of provisions, the provisions agreed upon in the contract shall apply.
1.6. If Olympic Casino amends the notice on the processing of personal data, it will publish the updated version footer under Privacy Notice. Depending on the content and effect of the amendment, we may or may not notify the customer of the amendment. If we materially change our data processing practices, especially when introducing new processing activities or technologies, then we shall provide a reasonable advance notice.
2. CUSTOMER RIGHTS
2.1. Olympic Casino guarantees all data subject rights as foreseen in the General Data Protection Regulation (the GDPR). To exercise the rights under section 2.2.1 - 2.2.6, the customer can contact the data protection officer listed in section 1.3.
2.2. Data subject rights under the GDPR:
2.2.1. The customer has the right to be informed on whether Olympic Casino processes their personal data and, if so, to receive a copy of the aforementioned data.
2.2.2. The customer has the right to request the rectification of inaccurate personal data concerning them.
2.2.3. The customer has the right to withdraw their consent to the processing of personal data (e.g. direct marketing consent) at any time, if the processing is based on consent. Withdrawal of consent does not affect the lawfulness of the processing that took place prior to the withdrawal.
2.2.4. The customer has the right to request the erasure of their personal data. Olympic Casino may delete data processed on the basis of consent or legitimate interest if the interests of Olympic Casino do not outweigh the interests of the customer. The right to erasure does not apply to data that is processed for the fulfilment of public interest or legal or contractual obligation, as long as that public interest or legal or contractual obligation is valid.
2.2.5. The customer has the right to object to the processing of their personal data (especially on the basis of legitimate interest) and to restrict the processing of their personal data where justified.
2.2.6. The customer has the right to receive their personal data, which they have submitted, in a structured and machine-readable format (if technically feasible) for transmission to other companies.
2.2.7. The Customer has the right to lodge a complaint about the processing of personal data with the Estonian Data Protection Inspectorate by sending an e-mail to info@aki.ee or in person at Tatar 39, Tallinn.
3. CATEGORIES OF PERSONAL DATA
3.1. Olympic Casino processes the following customer personal data.
3.1.1. Visit Data: name, surname, personal identity code or date of birth, type of the identity document, number of the document, date of issuance and validity, copy of the document, result of the personal data check from the Estonian Tax and Customs Board gambling self-exclusion list, the list of sanctioned persons and Olympic Casino’s casino exclusion list, casino venue and arrival date and time.
Source: directly from the customer when registering in a casino
3.1.2. Anti-Money Laundering and Terrorist Financing Prevention (AML) Data: Visit Data, occupation or activity, country of residence, information on being a politically exposed person, source and origin of funds, details of cash transactions over 2,000 € (time, place, amount, description), home address, source and origin of known funds other data on the person’s assets from public databases.
Source: directly from the customer, sanctions and PEP database service, national registries, media and other obliged persons with whom Olympic Casino cooperates for AML purposes.
3.1.3. Club Rewards Card Data: name, surname, personal identity code, e-mail, phone, residence country, language, information on being a politically exposed person, occupation, Club Rewards card number, date of issue, tier level, tier points, rewards points.
Source: customer when applying for the Club Rewards card
3.1.4. Gambling Data: Club Rewards card Data, name of the gaming venue, type and number of the gaming device, start and end time of the gaming session, details of the funds inserted during the session, the stake placed and the result of the game.
Source: customer when gambling using the Club Rewards Card
3.1.5. Transfer Data: IBAN of the bank account or the 4 final digits of the card number, the amount of the transfer or card payment, the place and time of the transaction.
Source: customer when making deposits or withdrawals.
3.1.6. Marketing and Communication Data: e-mail and/or mobile phone number, language of communication, product/service preference, consent to direct marketing, message content, date and time of message.
Source: Customer when consenting to receive direct marketing
3.1.7. Visual Data: visual image of the person, name of the gaming venue, camera number, date and time.
Source: Video surveillance. More information about that under section 8.
3.1.8. Website Data: IP address (including location based on IP address), Internet service provider, referrer URL, date, time, access token, session key, web browser type and version, device type, operating system, amount and status of data transmitted, MAC address;
Source: Customer’s web browser when navigating our website
3.1.9. Cookie Data: Olympic Casino uses cookies on its websites to optimise the websites and their functions. Some cookies may collect personal data. For more information, please consult Olympic Casino’s Cookie Policy.
Source: Customer’s web browser when navigating our website
3.2. Olympic Casino does not process special categories of personal data related to the customer (data concerning racial or ethnic origin, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, genetic data and biometric data). If the customer provides Olympic Casino with such data, then the customer does so voluntarily and Olympic Casino shall delete this data after the purposes for which the data was provided Olympic Casino are no longer relevant, unless this data is required by Olympic Casino for the establishment, exercise of defence of legal claims. Olympic Casino does not oblige anyone to disclose special categories of personal data, unless provision of special categories of personal data is required by law for a specific purpose, for example when protecting against serious cross-border threats to health.
3.3. Depending on the purpose and nature of the processing, Olympic Casino collects data related to the customer from the customer, publicly available sources, and third parties such as public authorities, national databases, banks, and Acuris Risk Intelligence LTD, an intermediary of a database concerning the identification of politically exposed persons and sanctions. Olympic Casino may share this data between its departments to fulfil legal obligations or based on public interest, or its own legitimate interest.
4. LEGAL BASIS AND PURPOSES
4.1. The legal bases and purposes for the processing of the customer’s personal data are listed below:
Purpose | Legal basis | Categories of data |
|---|---|---|
Customer visit registration at the casino | Legal obligation | Visit Data |
Checking the validity of the customer's gambling restriction | Legal obligation | Visit Data |
| Registration of the customer's financial transactions | Public interest, legal obligation | AML Data, Transfer Data |
Cooperation and exchange of data with third obliged entities for the purpose of combating money laundering and terrorist financing. | Public interest | AML Data |
Carrying out the "Know Your Customer" procedure | Public interest, legal obligation | AML Data |
Provision of gambling services | Performance of a contract | Gaming Data, Transfer Data |
Processing of deposits and withdrawals | Performance of a contract | Visit Data, Transfer Data |
Direct marketing of Olympic Casino services/products | Consent | Marketing Data |
building customer loyalty and providing added value through the club reward card | Legitimate interest | Club Rewards Card Data, Gaming Data, Marketing Data |
collecting and handling customer feedback | Legitimate interest, legal obligation | Marketing and Communication Data |
Determination of customer's risk profile for the purposes of ensuring responsible gaming | Legitimate interest | Visit Data, Gaming Data, Transfer Data |
Assigning a customer's risk profile for AML purposes | Public interest, Legal obligation | Visit Data, AML Data, Gaming Data, Transfer Data |
maintaining the poker leaderboard | Performance of contract | Name, surname, country, poker standings |
Improvement of the Website | Legitimate interest | Website Data, Cookie Data |
| Management of Olympic Casino’s resources, including intra-group data transfers | Legitimate interest | All collected data |
Data sharing within the group for the organisation of joint campaigns and the management of a joint loyalty programme | Legitimate interest | Gaming Data, Communication Data, Marketing Data |
Fraud prevention and detection | Legal obligation, legitimate interest | Visit Data, Gaming Data, Transfer Data, Visual Data |
Ensuring safety of the customers in the gaming venue | Legal obligation | Visual Data, Visit Data, Gaming Data |
Ensuring safety of Olympic Casino’s property and employees in the gaming venue | Legitimate interest | Visual Data, Visit Data, Gaming Data |
Providing data to insurance providers for insurance payout | Legitimate interest | Visual Data, Visit Data |
Identification of persons with child maintenance arrears | Legal obligation | Name, surname, personal identity code |
Use of external service providers to detect and prevent fraud, and process payments | Legitimate interest | Gaming Data, Visit Data, Transfer Data |
Handling of reports of breaches of European Union law | Legal obligation | Communication Data, name, surname, other personal data in the breach notice |
Analysing customer gaming activity | Legitimate interest | Gaming Data |
4.2. In the case of data processing for the performance of legal or contractual obligations, the customer is obliged to provide such personal data. Failure to provide such data will prevent Olympic Casino from fulfilling its contractual or legal obligations and will limit the customer’s ability to use the services offered, or the customer agreement may be terminated and the customer will not be allowed in the gaming venue.
4.3. Where Olympic Casino processes personal data on the basis of legitimate interest, Olympic Casino has assessed that its legitimate interest in processing personal data for certain purposes outweighs the interests and rights of the customer.
4.4. Where the personal data is processed based on the website visitor’s or customer’s consent, then this consent can be withdrawn by contacting the data protection officer, whose contact details can be found in section 1.3, or by clicking at the unsubscribe link at the end of every direct marketing message.
5. PROFILING AND AUTOMATED DECISION-MAKING
5.1. Profiling is used in the following processes and is based on the following logic.
5.1.1. Marketing of the services/products offered by OlyBet and Olympic Casino, as well as joint administration of the loyalty programme, taking into account the volume of customer visits, services and games used. The profile analysis uses the collected data of the services used across the group companies, according to which personalised direct marketing offers are sent to the consenting customers’ electronic contact information, and the Club Rewards card tier level is determined.
5.1.2. Determining the AML risk profile taking into account the customer’s last 365 days of visits, game and payment statistics. On the basis of the risk profile, Olympic Casino may ask for proof of the customer’s income, failing which Olympic Casino has the right to restrict the customer’s access certain services or terminate the customer relationship and restrict the customer’s access to the gaming venue.
5.1.3. Determining the responsible gaming (RG) risk profile, taking into account the customer’s gaming statistics and information disclosed by the customer. If the customer’s gaming habits indicate that the customer could be a problem gambler, then Olympic Casino may, for the protection of the client, unilaterally and temporarily restrict the usage of certain services and/or impose maximum stake limits, and investigate whether the client could have difficulties in following the principles of responsible gaming. Depending on the customer’s own input, Olympic Casino may decide to cancel the restrictions and/or limits and raise or lower the limits, or suggest the customer to enroll in the national self-exclusion register.
5.2. Automated decision-making is used in the following processes and based on the following logic.
5.2.1. Generating weekly freeplay for the Club Rewards Card user, taking into account the customer’s game turnover of the last 30 days.
5.2.2. Upgrading a customer to the Bronze and Silver tier depending on rewards points and based on the customer’s previous 6 months’ game turnover.
5.3. We have assessed that the profiling and automated decision-making described in sections 5.1 and 5.2 above do not involve automated decision-making which bring about legal effects or otherwise significantly affect the customer. Decisions that are made based on the profiling that bring about legal effects or significantly affect the customer are always made by a human, taking into account the results of the profiling.
6. TRANSMISSION OF PERSONAL DATA
6.1. Olympic Casino uses various partners as personal data processors, who process data based on and to the extent of the instructions given by Olympic Casino. The partners may be both companies which are part of the Olympic Casino group, or third parties with whom Olympic Casino has entered into appropriate agreements for data processing.
6.2. When processing personal data, Olympic Casino will transfer your personal data to the following recipients, which may be either data controllers or processors: own group companies, public authorities, courts, banks, payment services providers (both for the provision of the service as well as AML cooperation), auditors and legal advisors, insurance companies, analytics service providers, fraud detection and prevention service providers, survey service providers, information transmission and communication service providers, PEP and sanction verification database intermediaries, poker tournament management software providers, whistleblowing platform operators, database operators, sports integrity organisations and unions.
6.3. Generally, Olympic Casino’s partners are located in the European Economic Area. If the Olympic Casino partner processing the personal data is located outside the European Economic Area, the safeguards to be used for the transmission of personal data are: an adequate level of data protection in the recipient country in accordance with the European Commission’s decision, or the use of standard contractual sections for data protection developed by the European Commission in the cooperation agreement (click on the relevant link for more information).
6.4. The joint controller of customer data is the OlyBet gaming environment operator OB Holding 1 OÜ (address Pronksi 19, Tallinn 10124, Estonia, +3726671250, estonia@oc.eu), which is part of the same group as Olympic Casino, with whom Olympic Casino processes customer data for the purposes of organising joint-campaigns, marketing services/products, sending communications (including direct marketing regarding Olympic Casino and OlyBet, depending on consent), sharing data between joint controllers for the joint management and provision of loyalty programs, determining the customer’s AML and RG risk profile and managing the group’s resources. The parties have entered into an agreement to this effect, which allows the parties to share the personal data to achieve the purposes contained in this Privacy Notice.
6.5. The processor of customer data is Olympic Casino’s subsidiary Kungla Investeeringu Osaühing (address Pronksi 19, Tallinn 10124, Estonia, +3726671250, estonia@oc.eu), with whom Olympic Casino processes customer data for the purpose of providing bar services and discounts based on Club Rewards Card Data.
7. PERSONAL DATA RETENTION
7.1. The personal data of a customer is retained until the purposes of the processing have been fulfilled or until the obligations arising from the legislation have been fulfilled. Generally, following the statutory retention time, the customer’s personal data will be deleted from the customer database, but the non-personalised (anonymised) Gaming- and Visit Data will remain. If the personal data is not deleted, Olympic Casino has assessed that it has a legitimate interest in retaining all or part of the data, in which case Olympic Casino will not retain the relevant data for longer than Olympic Casino needs to fulfil its legitimate purposes.
7.2. The following retention timelines are applicable:
7.2.1. To comply with gambling and AML legislation, Olympic Casino must retain collected personal data for 5 years after the last visit of the customer. This data involves the Visit Data and AML Data.
7.2.2. Data about deposits and withdrawals (Transfer Data) shall be kept for accounting purposes for a period of 7 years starting from the end of the financial year when the data was collected after which it shall be deleted.
7.2.3. Communication Data is retained for 3 years after the end of the relevant communication, or in case of dispute, until the statute of limitations period has expired according to the relevant provisions of the Act on the General Part of the Civil Code.
7.2.4. Data collected when performing obligations under the Act on Protection of Persons Who Report Work-Related Breaches of European Union Law, shall be retained for 3 years after the feedback is sent.
7.2.5. Marketing Data is retained until the withdrawal of marketing consent. Upon such withdrawal, the customer’s electronic contact information is deleted from direct marketing lists, but the contact information is otherwise retained to fulfil the provisions indicated under section 7.2.1 to perform the agreement and to comply with legal obligations, including for the purposes of sending the customer important information or to fulfil due diligence obligations.
7.2.6. Special categories of personal data provided by the customer under section 3.2 shall be deleted when they are no longer needed by Olympic Casino for the establishment, exercise of defence of legal claims or to fulfil legal obligations. In case such personal data is processed based on consent, then the data is deleted when the consent is withdrawn.
7.2.7. Visual Data collected using surveillance cameras is retained for 30 days as of collection date.
7.2.8. Cookie Data is retained according to the timelines indicated under the Cookie Policy, depending on the type of cookie.
8. VIDEO SURVEILLANCE
8.1. Olympic Casino uses video surveillance to fulfil its legal obligations to ensure the safety of visitors, maintain public order and to detect and prevent fraud and other types of illegal activities. Based on legitimate interests, the cameras are also used to protect Olympic Casino’s property and employees, and for the establishment, exercise or defence of legal claims.
8.2. The cameras cover the entrances of the office, in the gaming venues the entire customer zone, the cash desk, the bar and the entrance area of the gaming venues. Video surveillance processes Visual Data as indicated in section 3.1.7.
8.3. The (live) surveillance images and recordings can only be viewed by Olympic Casino’s surveillance staff. If requested by law enforcement authorities listed under § 37 (11) of the Estonian Gambling Act, the recordings will also be transmitted to them.
Charming Las Vegas will open its doors to you right here in Estonia!
Olympic Club Cards
Olympic newsletter
Follow our latest news & get the best offers.
By submiting the form you agree to receive communications from Olympic Entertainment Group.