en hu de

Data Processing Policy

The present Data Processing Policy (hereinafter: Policy) contains the rules on the protection of personal data processed by CAI Hungary Kft. (hereinafter: Controller or Casino). The scope of the Policy covers the entire data management process.

Please read this Policy carefully. Should you have any queries or submissions in relation to the provisions set forth herein, do not hesitate to contact us prior to the adoption of the Policy.

I.

1.) Controller data

Controller’s Name: CAI Hungary Kft.

Company Registration Number: Cg.: 08-09-027729, registered by the Company Registry Court of Győr

Registered Office: 9400 Sopron, Lackner Kristóf utca 33/A

Tax Number: 25452693-1-08,

E-mail: cso@casinosopron.hu

Telephone: +36 99 512 350

Data Protection Officer: Dr. Tamás László Ács

Data Protection Officer Contact Details:

E-mail: acs.tamas@chello.hu

Address: 1016 Budapest, Avar utca 8

Telephone: 06-20-9-425-022

2.) Purposes of the Policy

The purpose of the Policy is to guarantee the enforcement of the legal requirements of data protection, and to set out data management principles, purposes and other facts which determine for what purpose, how and how long we manage personal data provided by the data subject, and to which enforcement possibilities and remedies is the data subject entitled in line with the relevant legal requirements.

The Controller shall make every effort to ensure the protection of personal data provided by the data subject and processed by the company during the processing of data.

The purpose of this Policy is to ensure for every individual, in all the services provided by the Controller and in all of its operational areas, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to the processing of personal data relating to him.

3.) Legislation used in preparing the Policy

The Controller respects the data subject’s personal data, and obliges itself to ensure that its data management process complies with this Policy and with the specific provisions of existing legislation in particular, but not exclusively:

- Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)

- Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter: Privacy Act),

- Act XXXIV of 1991 on the Organisation of Gambling (hereinafter: Gambling Act),

- Decree No 32/2005 (X. 21.) PM on the Regulation of the Authorisation, Organisation and Control of Certain Gambling Activities,

- Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (hereinafter: Anti-Money Laundering Act),

- Government Decree 329/2015 (XI. 10.) on the Detailed Rules of Responsible Game Organisation,

- Act CXXXIII of 2005 on the Rules of Personal and Property Protection Activities and Private Investigation

, and is in compliance with other regulations and directives concerning data processing.

5.) Definitions

1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

3. ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;

4. ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

5. ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

6. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;

7. ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

8. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

9. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

10. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

11. ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

12. ‘supervisory authority’: Hungarian National Authority for Data Protection and Freedom of Information

(NAIH);

13. ‘system’ means all the technical solutions operating the Controller’s services;

14. ‘User’ means a natural person over 18 years of age (player/customer/guest) who, in the context of the Controller’s operation, provides his or her personal data and uses the casino’s services - in line with the provisions set out in the casino’s Rules for Participation and the legislation in force.

15. ‘Rules for Participation’: the casino’s rules for participation in force.

6.) Lawfulness of processing

Processing shall be lawful only if and to the extent that at least one of the following applies:

a. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

b. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c. processing is necessary for compliance with a legal obligation to which the Controller is subject;

d. processing is necessary in order to protect the vital interests of the data subject or of another natural person;

e. processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Where processing is based on consent, the Controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. The data subject should withdraw the consent as easily as give consent.

7.) Principles relating to processing of personal data

Personal data shall be:

a) processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency');

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1) GDPR, not be considered to be incompatible with the initial purposes ('purpose limitation');

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation');

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy');

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ('storage limitation');

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').

The Controller shall be responsible for, and be able to demonstrate compliance with the above principles ('accountability').

II.

INDIVIDUAL PROCESSING

1.) Register of persons entering the Casino

Scope of data processed:

Minimum scope of computerised registration data to be recorded during the registration of the player:

- Name (family and first name),

- name at birth (family and first name),

- mother’s name,

- place of birth (name of the settlement only),

- date of birth (in YYYY-MM-DD format);

- player’s photograph.

- digital copy of the identification document;

The name at birth shall be completed in any case, even if it is not contained by the document submitted as proof of a person’s identity.

By adopting the Rules for Participation and with his or her written statement the player agrees to take digital recordings of him or her and allows the casino to make a copy of his or her documents.

In addition to the minimum data set the casino records the player’s following data:

1. nationality

2. address

3. type, number and expiry date of identification document

4. in case of a foreign natural person the data indicated in the identification document out of the above data, and the place of residence in Hungary. The casino will record the data non identifiable from the documents in an oral exchange.

Date of registration, number and date of previous visits

5. digital photograph

The identification may take place on the basis of the presentation of the following document(s):

1. Identity Card and Address Card in case of Hungarian citizens.

2. In case of a foreign natural person photographic document issued by foreign authorities (passport, ID card, driver's license), entitling the person to reside in Hungary, or document certifying the right of residence or residence document.

During the customer due diligence, in order to implement the identification upon the entering of customers, when issuing the entry card the entering person’s data and the copy of documents provided for in the legislation in force shall be recorded in the casino’s computer system. The entering person adopts the casino’s Rules for Participation in his or her written statement, furthermore in his or her written statement agrees to his or her data being processed by the casino on the basis of Section 7(1)-(3) of the Anti-Money Laundering Act.

The casino, in order to control the identity, verifies the validity of the identity document presented. If the customer refuses to identify himself or herself, the casino will deny the services, i.e. the entry.

The casino’s employees shall inform the customers about their rights and obligations in accordance with the rules of polite communication, and shall process customers’ data taking into consideration the data protection rules.

Upon the entry into the casino the customer shall inform the casino about the changes in the data provided on the occasion of the previous entry. The casino draws its guests’ attention to this obligation with a clearly visible notice at the reception, and with the provision included in the Rules of Participation.

Purpose of processing: implementation of customer due diligence in accordance with the legislation applicable (measures specified in Section 7 of the Anti-Money Laundering Act), and proceeding under player protection rules.

Under the legislation in force, the casino operated by the Controller is obliged to identify the customer (player) upon his or her entry into the casino’s territory on the basis of the documents provided for by law.

Any person declared legally incapacitated by court or whose legal capacity has been declared partially limited by court due to gambling addiction, in the category of case concerning his or her statements related to this, shall not be involved in gambling.

Legal basis for processing: legislative provision (Section 6 of the Anti-Money Laundering Act and Section 57 of Decree No 32/2005 (X. 21.) PM).

Duration of processing: 8 years after the end of the business relationship.

2.) Player Protection Register

Scope of data processed:

- name,

- mother’s maiden name,

- place and date of birth,

- type and number of identification document,

- place of residence/address.

Purpose of processing: the Gambling Supervision Board of Hungary keeps a record of persons subject to self-restraining and self-excluding measures and persons placed under guardianship by court; the so-called player protection register.

The casino, simultaneously with the customer identification set out in the Act on the Prevention and Combating of Money Laundering and Terrorist Financing, verifies prior to the player’s registration whether on the basis of the player protection register – taking into consideration the casino and the type of gambling – the player is subject to restriction or not.

If the player is subject to restriction according to the player protection register’s data, the casino shall not proceed with the player’s identification and shall refuse registration.

The Controller attaches to this Policy a data protection notice on the player protection register as Annex 1.

Legal basis for processing: Section 1(6) of the Gambling Act, Section 16 of Government Decree 329/2015 (XI. 10.)

Duration of processing: 6 years after the generation of data.

3.) Expulsion Register

In order to ensure effective implementation of the refusal of entry and access to gambling (hereinafter: expulsion) the casino keeps a record of players seriously violating the Rules for Participation. The cases of serious violation of the Rules for Participation are listed in point 9 of the Rules for Participation.

Scope of data processed:

- name,

- mother’s maiden name,

- place and date of birth,

- type and number of identification document,

- place of residence/address,

- nationality.

Purpose of processing: in order to ensure effective implementation of the refusal of entry, login and access to gambling (hereinafter: expulsion) the Controller keeps a record of players seriously breaching the contract concluded for the participation in gambling. The Controller registers in the record the above data of the player, the fact of and the reason for expulsion, the date of order, and the ad hoc nature or fixed-term duration of a period of up to 5 years. The expelled player may consult the expulsion register regarding his or her expulsion data. Simultaneously with the consultation, the player may require the issue of a document on the data recorded, which shall be satisfied by the Controller free of charge simultaneously with the consultation, or not later than the following business day.

Legal basis for processing: Section 1(5c) of the Gambling Act.

Duration of processing: 6 years after the imposition of expulsion.

4.) Politically Exposed Person Register:

The casino must obtain to request the customer to provide a written statement declaring whether he or she is a politically exposed person. (Section 8(3) of the Anti-Money Laundering Act).

Politically exposed person shall mean a natural person who is entrusted with prominent public functions, or who has been entrusted with prominent public functions within one year before the implementation of customer due diligence measures.

The provisions relating to politically exposed persons shall also apply to family members or persons known to be close associates of politically exposed persons.

Natural person who has been entrusted with prominent public functions’ shall include:

a) heads of State, heads of government, ministers and deputy ministers, state secretaries, in Hungary the head of State, the Prime Minister, ministers and state secretaries,

b) members of parliament or of similar legislative bodies, in Hungary members of parliament and spokesmen for the nationality,

c) members of the governing bodies of political parties, in Hungary members and officers of the governing bodies of political parties,

d) members of supreme courts, of constitutional courts or of other high-level judicial bodies, the decisions of which are not subject to further appeal, in Hungary members of the Alkotmánybíróság (Constitutional Court), of the courts of appeal and the Kúria (Curia),

e) members of courts of auditors or of the boards of central banks, in Hungary the President and Vice-President of the Állami Számvevőszék (State Audit Office), members of the Monetáris Tanács (Monetary Council) and the Pénzügyi Stabilitási Tanács (Financial Stability Board),

f) ambassadors, chargés d’affaires and high-ranking officers in the armed forces, in Hungary the head of the central body of law enforcement bodies and organisations and his deputy, Chief of Staff of the Hungarian Army and Deputy Chiefs of Staff of the Hungarian Army,

g) members of the administrative, management or supervisory bodies of enterprises with majority state ownership, in Hungary the managing directors of enterprises with majority state ownership, including members of the management body exercising control or supervisory rights of such enterprises,

h) directors, deputy directors and members of the board or equivalent function of an international organisation.

Scope of data processed:

- name,

- mother’s maiden name,

- place and date of birth,

- place of residence/address,

- indication of prominent public function

Purpose of processing: Compliance with the provisions of the Anti-Money Laundering Act, fulfillment of legal obligation to which the Controller is subject.

Legal basis for processing: Section 8(3) of the Anti-Money Laundering Act.

Duration of processing: 8 years after the end of the business relationship.

5.) VIP player register

Scope of data processed:

- name,

- mother’s maiden name,

- place and date of birth,

- type and number of identification document,

- place of residence/address,

- nationality.

Purpose of processing: Provision of VIP service. In order to provide hospitality to VIP players, with the written consent of VIP players the casino forwards the VIP player register’s data to Szerencsekerék Kft. (Company Registration Number: Cg.: 08-09-014782, Registered Office: 9400 Sopron, Lackner Kristóf utca 33/A) operating the casino’s bar.

Legal basis for processing: Article 6(1)(a) and (b) GDPR, and Section 5(1)(a) of the Privacy Act.

Duration of processing: until revocation, but no later than the end of the business relationship.

6.) Certification of Winning Register

Scope of data processed:

- name,

- mother’s maiden name,

- place and date of birth,

- type and number of identification document,

- place of residence/address,

- nationality.

Purpose of processing: a certification of winning may be supplied by the gambling service provider at the request of a player who is entitled to winnings in a foreign currency of the equivalent of HUF 2 million or more, indicating a description of the game and the exact amount of the prize; comply with the legal obligation concerning the Controller.

The certification of winning shall contain the player’s identification data, the place and date when and where the game was held and the winning was collected, and the amount of personal income tax deducted from the prize by the gambling service provider. The certification of winning is issued on a document introduced and authenticated by the national tax authority.

When issuing the certification of winning, the casino ascertains of possible changes to personal data, and if such changes occurred, it shall carry out the verification of the player’s identity prior to the issuance of the certificate, recording the date and the changes in the data.

Legal basis for processing: Section 1(8) of the Gambling Act.

Duration of processing: 8 years after the end of the business relationship.

7.) Register of abandoned chips (orphans):

Scope of data processed:

- name,

- mother’s maiden name,

- place and date of birth,

- type and number of identification document,

- place of residence/address.

Purpose of processing: registration of abandoned chips found in the casino. Chips found in the territory of the casino (e.g. left on the gaming table, or left behind during the game) the owner of which is not known are considered orphans. Orphans shall be immediately paid to the casino’s main cashier, and recorded in the orphans’ register. This sum of money - in case of chips, a sum equal to the value of the chips - shall be repaid to any person who proves his or her right of ownership of such orphans. The repaid money shall be recorded in the orphans’ register. This should contain the date of repayment, the owner’s name, residence, and the minutes including the investigation on the case shall also be attached. The orphans that have not been repaid - excluding small-value orphans - shall be included in the casino’s other revenues one year after the date of finding. When applying this rule, small-value orphan means any abandoned chips with a value of less than HUF 100. Small-value orphans shall be included in the casino’s other revenues at the first closing time after they were found.

Legal grounds for data processing: Section 62 of Decree No 32/2005 (X. 21.) PM).

Duration of processing: 8 years after the end of the business relationship.

8.) Electronic Monitoring System

Scope of data processed: video recording of people entering in the casino’s territory.

Purpose of processing: For the security of customers a video surveillance system prescribed by the Gambling Supervision Board is installed in the casino, and, in addition to that, the casino installed a video surveillance system for the protection of property as well.

In order to ensure that data obtained in carrying out customer due diligence measures taken for the prevention and combating of money laundering and terrorist financing can be linked to player transactions, and for the effective implementation of supervisory activities, the casino shall be empowered to record the photographic images of natural person customers and to make video recordings of activities carried out in its premises, and to keep such photographic images in storage in its electronic registers.

The casino processes the recordings – in accordance with the provisions of the existing legislation on the protection of personal data and the publicity of data of public interest – for the above reasons and purpose, it provides secure storage and preservation as required by the law, subsequently the recordings shall be destroyed.

Recorded visual information shall be released exclusively to authorities, on a formal request. By entering the casino, the person entering automatically contributes to the processing of recordings of him or her in accordance with the above

In order to perform its official duties prescribed by the law, the Gambling Supervision Board may consult the data recorded by the video surveillance system.

The Controller shall inform its employees upon the establishment of employment, and the other Users not regarded as employees upon the registration at their first entry into the casino, of the surveillance system’s operation and its regulation.

The Controller placed a warning sign at the reception that calls the attention to the fact that an electronic surveillance system is operating in the given territory.

Detailed conditions for the operation of the camera system:

• With the video surveillance system all the games ongoing in the casino shall be observable. The type of cameras shall be chosen and the cameras shall be set so that the bets (colours and readability of chips), the gaming devices, the supplementary gaming devices (dice, cards, balls etc.), and the course of the game can be clearly visible and easy to follow.

• The video surveillance system shall ensure the observability of filling and emptying of slot machines, and the payout of jackpot. If the accounting for gaming devices takes place in a separate room, that room shall be fitted with a camera too. Furthermore, the video surveillance system shall control the route leading to the place of accounting.

• In all the gaming halls of the casino’s building it is necessary to mount cameras which can give an overview of possible disorders and security measures taken in response in the whole gaming hall and in all gaming areas (gaming tables, slot machines etc.).

• The entry of the casino’s visitors and the identification process shall be under video surveillance.

• All cameras should be capable of showing transmitted image with date and time down to the second, furthermore the bets made and the receipt of cash and tips according to their position, while the events occurred on the gaming devices remain visible all the time. Sound should also be transmitted with the image. The events to be compulsorily certified and events in the cashier shall be recorded with a zoom camera.

• Images transmitted by the cameras shall be constantly monitored as set out in the control system provided in the casino’s gaming plan. At the same time, the image material provided by the cameras shall be recorded, and the casino shall organise the preservation of video recordings and the submission of accounting documents in a way that following the submission of accounting documents the national tax authority can have a period of at least five business days to watch the video footages in support of any of the submitted documents. The casino is required to keep video footages and other documents containing exceptional occurrences that took place in the casino or measures imposed on the players for at least thirty days.

• Tools and methods used for control should not violate human dignity.

• In the course of processing the Controller shall act legally, and shall observe the principles of purpose limitation and fair procession.

• The Controller may transfer recordings to third parties only in the cases provided for by law (e.g. police).

• The Controller shall not carry out surveillance in rooms where it could violate human dignity. This applies specifically to changing rooms, showers, toilets, and to all rooms where the employees spend their rest breaks.

• However, there are some periods when the total area of the workplace may be kept under surveillance including the prohibited areas. These are the periods when, for example, no one is residing in the territory legally.

Legal basis for processing: legislative provision (Section 7(9) of the Anti-Money Laundering Act; Section 55 of Decree No 32/2005 (X. 21.) PM); Section 31 of Act CXXXIII of 2005.

Duration of processing: In case of surveillance cameras prescribed by the Gambling Supervision Board, the casino is required to keep video footages for 45 days after recording, this period shall be prolonged by the casino on the basis of the request by the supervisory body provided for in Section 5 of the Anti-Money Laundering Act, until the conclusion of the supervisory body’s procedure. Retention period of other cameras’ footages: 30 days.

9.) Marketing activities

Scope of data processed: name, e-mail, telephone number.

Purpose of processing: sending electronic newsletters containing commercial messages to the User, providing information on current trends and products.

Pursuant to Article 6 of Act XLVIII of 2008 (Advertising Act) the User have provided his or her express preliminary consent to the Controller to contact him or her with advertisements and other messages using the contact details (e.g. e-mail or telephone number) provided on the data sheet specially made for the purpose.

Bearing in mind the provisions of this Policy, the User contributes to the processing of his or her personal data by the Controller in order to send advertising materials. The Controller may not send unsolicited commercial messages, and the User may unsubscribe from receiving offers without restriction or justification, free of charge.

In this case, the Controller will erase from its record all personal data – which is necessary for sending newsletters – and will no longer contact the data subject with any further newsletters.

Legal grounds for data processing: the data subject’s voluntary consent and Article 6(5) of Act XLVIII of 2008 (Advertising Act).

Duration of processing: until the withdrawal of statement of consent, at the latest when the casino ceases its business activities.

10.) Website operation

Scope of data processed: IP address of visitors to the website, date of visit, data of pages viewed, name of browser used.

address of the website: www.casinosopron.hu

Purpose of processing: A software analyzing website traffic is running on the Controller’s website.

The website uses “cookies”, which are text files placed on the visitor’s computer aiming to help the analysis of the website’s use. The visitor of the website may refuse the use of cookies by selecting the appropriate settings on his or her browser.

Cookies can be “permanent” or “temporary”. Permanent cookies are stored on the browser until a specified date, provided that the User does not delete them, while temporary cookies are not stored on the browser and they are automatically deleted when the browser is closed.

If the website’s visitor does not consent to the use of cookies, he or she can refuse the use of cookies by selecting the appropriate settings in the browser (block, disable). Blocking cookies may restrict or hinder the access to certain services.

The Controller will not use the information stored by cookies for the identification of the website’s user.

Legal grounds for data processing: Article 6(1)(a) GDPR; Section 5(1)(a) of the Privacy Act.

Duration of processing: until the achievement of objectives, at latest erasure at the data subject’s request

11.) Social network

The casino has a Facebook page under the name Casino Sopron. The objective of the Facebook page is to keep up to date the casino’s players and stay in contact with them.

In order to use the Casino Sopron Facebook page the User must have an own account on the Facebook social network.

By using Facebook the User declares that he or she had previously understood and accepted the own conditions of use and data processing policy of Facebook (1601 South California Avenue, Palo Alto, CA 94304, United States) :

https://www.facebook.com/policy.php

The Facebook will receive the information that the User wishes to post on the casino’s Facebook page, under the User’s IP address.

Regarding the data to be posted by the User (name, photo, comment, assessment), the User may exercise his or her rights towards Facebook as per point IV of this Policy.

The casino is entitled to request the erasure of any data detrimental to the repute or the rights of the casino or any other person.

III.

CONTROLLER’S PROCEDURE

1.) Controller’s procedure

The Controller does not process data in an automated manner, therefore the Controller does not use automated decision-making and profiling.

The Controller is excluded from the scope of Code of Conduct.

The Controller’s employees may have access to the data subject’s personal data in order to fulfill their work-related duties in principle.

Personal data may be transferred to a third country on the basis of an adequacy decision.

2.) Data Security

The Controller shall take all necessary safety steps, technical and organisational measures to ensure the highest level of security of personal data and to prevent any unlawful alteration, destruction or use.

The Controller shall take all necessary measures to ensure the integrity of the data, i.e. the accuracy, completeness and up-to-date status of the personal data it manages and/or processes.

The Controller shall protect the data by appropriate measures, in particular against unauthorised access, alteration, transmission, disclosure, deletion or destruction, as well as unavailability due to accidental destruction, damage, or change in the technique used.

The Controller saves active data from databases containing personal data.

The Controller constantly provides virus protection on the personal data management network.

Data managed by the Controller network and access to data files must be provided with a user name and password.

The ensure the security of paper-based personal data, the Controller applies the following measures:

- only authorised persons can have access to data, nobody else can have access to data, data cannot be disclosed to anyone else;

- the documents shall be placed in a room with good lock, fitted with

- equipment for fire protection and for the protection of property;

- the Controller’s employee who carries out the processing of data must lock data carriers entrusted to him or her or close the office before leaving the room where the processing of data takes place during the day.

- the Controller’s employee who carries out the processing of data shall lock paper-based data carriers after work;

- if paper-based personal data are digitized, the Controller shall apply security rules concerning digitally stored documents.

To ensure the security of personal data stored on computer or on a network the Controller applies the following measures and safeguards:

- the computers used in the processing of data are owned by the Controller, or the Controller exercises the same rights over them as ownership;

- the data on computers is only accessible with valid, personal, identifiable access rights (at least user name and password), the Controller shall regularly change the passwords;

- all computer records of data are logged in a traceable way;

- data on the network server (hereinafter: server) shall be accessible only by the designated persons with the appropriate access rights;

- if the purpose of processing has been achieved and the time limit for data processing has expired, the file containing the data shall be irrevocably deleted, the data cannot be recovered;

- for the security of data stored on the network the Controller avoids data loss by continuously mirroring on the server;

- active data of databases containing personal data are saved regularly on a daily and monthly basis, the monthly backup includes the whole dataset of the central server and is performed on a magnetic carrier;

- the magnetic carrier containing the monthly backup shall be stored in a fireproof room installed for this purpose;

- constantly provides virus protection on the personal data management network;

- using the available computing devices prevents unauthorised network access.

3.) Personal data breach management

In the case of a personal data breach, the Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller must communicate the personal data breach to the data subject without undue delay.

Any employee or collaborator who detects a personal data breach of personal data managed or processed by the Controller shall notify the personal data breach to the Data Protection Officer and the management, providing his or her name, telephone number and/or e-mail address, the subject of the personal data breach and whether any IT system is affected by the breach. The notifying person may provide further information considered to be relevant to the identification and assessment of the personal data breach.

If the personal data breach has affected the IT system, the management shall notify the competent administrator as well.

The Data Protection Officer – in case of personal data breach affecting the IT system in cooperation with the IT technician – examines the notification, and requests further information from the notifying person, which shall be fulfilled without delay.

The requested information shall include the following:

1. date and time of the breach,

2. description, condition, and effects of the breach,

3. scope and number of data compromised in the breach,

4. scope of data subjects affected by the breach

5. description of actions taken in order to eliminate the breach,

6. description of actions taken in order to prevent, avoid and reduce damage.

On the basis of the information provided the Data Protection Officer– in case of personal data breach affecting the IT system together with the IT technician – proposes measures necessary to eliminate the personal data breach to the department carrying out the management or the processing of data, and to the management.

The custodian shall inform the management and the Data Protection Officer on the various measures implemented in order to eliminate the personal data breach within 2 business days following the implementation of such measures.

On the basis of Section 15(1a) of Act CXII of 2011 on the right to informational self-determination and freedom of information the Controller shall keep a record of personal data breaches in order to control measures concerning the personal data breach and to notify the data subject.

The Controller shall keep a record of all personal data breaches.

The record should include the following:

1. scope of personal data concerned,

2. number and scope of data subjects affected by the breach,

3. date of breach

4. conditions and effects of breach,

5. measures taken to eliminate the breach,

6. other information specified in the legislation on data processing.

The data regarding data breaches included in the record shall be retained for a period of 5 years by the Controller in case of breaches involving personal data.

4.) Disclaimer

The Controller shall not be liable for any mistakes arising beyond its control, and for any consequence or damage arising as a result thereof.

For damages caused by behavior constituting a breach of security of information systems (including the use of viruses and other software designed to cause damage, the unauthorised access to personal and other data, and other hacking activities) or arising as a result thereof the persons engaged in such behaviors shall be solely liable, therefore the Controller excludes its liability.

If the Controller becomes aware that the User, contrary to the provisions of this Policy or legislations in general, provided the personal data of another person, uses unlawfully publicly available or unlawfully obtained personal or other data, or does not comply with the provisions of this Policy in general, the Controller will take the necessary legal actions.

5.) Tasks of the Data Protection Officer (DPO)

The DPO shall have the following tasks:

a) to inform and advise the Controller and the employees who carry out processing of their obligations pursuant to Union or Member State data protection provisions;

b) to monitor compliance with the Union or Member State data protection provisions and with the policies of the controller in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35 GDPR;

d) to cooperate with the supervisory authority; and

e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36 GDPR, and to consult, where appropriate, with regard to any other matter.

The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

Data subjects may contact the Data Protection Officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.

The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.

6.) Persons authorised to consult the casino’s database

For the purpose of verification of the lawfulness of the consultation, and in order to inform the data subject the casino keeps a record which contains the date of consultation of the register of personal data processed by the casino.

IV.

RIGHTS OF THE DATA SUBJECT

1.) Transparent information, communication and modalities for the exercise of the rights of the data subject

The Controller shall take appropriate measures to provide any information referred to in the GDPR and any communication relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

The Controller shall facilitate the exercise of data subject rights under the GDPR. The Controller shall not refuse to act on the request of the data subject for exercising his or her rights, unless the controller demonstrates that it is not in a position to identify the data subject.

The Controller shall provide information on action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

If the Controller does not take action on the request of the data subject, the Controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Information provided and any communication and any actions taken shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may either:

a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

b) refuse to act on the request. The Controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

Where the Controller has reasonable doubts concerning the identity of the natural person making the request, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

2.) Right of access by the data subject

The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

a) the purposes of the processing;

b) the categories of personal data concerned;

c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e) the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

f) the right to lodge a complaint with a supervisory authority; g) where the personal data are not collected from the data subject, any available information as to their source;

The Controller shall provide the data subject a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.

3.) Right to rectification

The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

4.) Right to erasure (‘right to be forgotten’)

The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

a) a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) GDPR, and where there is no other legal ground for the processing;

c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

d) the personal data have been unlawfully processed;

e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;

Where the Controller has made the personal data public and is obliged to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

The right to erasure shall not apply to the extent that processing is necessary:

a) for compliance with a legal obligation which requires personal data processing by Union or Member State law to which the Controller is subject,

b) for the establishment, exercise or defence of legal claims.

5.) Right to restriction of processing

The data subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:

a) the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;

b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or

d) the data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted on the basis of the above, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing shall be informed by the Controller before the restriction of processing is lifted.

6.) Notification obligation regarding rectification or erasure of personal data or restriction of processing

The Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 GDPR to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Controller shall inform the data subject about those recipients if the data subject requests it.

7.) Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, where:

a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1) GDPR; and

b) the processing is carried out by automated means.

In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

The exercise of the right to data portability shall be without prejudice to Article 17 GDPR and shall not adversely affect the rights and freedoms of others.

The Controller does not process data in an automated manner, therefore the User is not entitled to the rights under this paragraph.

8.) Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. In this case, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

At the latest at the time of the first communication with the data subject, the right to object shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

9.) Judicial remedy

In case the User disagrees with the decision adopted by the Controller, the User may appeal against the decision before the court within 30 days following the notification.

The regional court shall have jurisdiction to hear actions. The action, at the User’s choice, may be brought before the court of the User’s domicile or the User’s habitual place of residence.

Complaints may be filed inter alia to the Hungarian National Authority for Data Protection and Freedom of Information:

Hungarian National Authority for Data Protection and Freedom of Information

1125 Budapest, Szilágyi Erzsébet fasor 22/C

Postal address: 1530 Budapest, PO box (Pf.) 5

Telephone: +36 -1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

Should the User have any complaint, comment or suggestion, he or she may submit them on the Controller’s or the Data Protection Officer’s contact details provided in point I.1. of this Policy.

V.

Amendment to the Policy

The Controller reserves the right to amend this Policy. In case of amendment, the amended Policy should be available at the reception of the Controller’s registered office, and it should be uploaded on the Controller’s website. The amendment shall enter into force the day after the amended Policy had been made available. Following the amendment’s entry into force the use of the Controller’s services entails the adoption of the amendment of the data processing policy.

This Policy is effective from 25 May 2018.

Annex 1

DATA PROTECTION NOTICE ON THE PLAYER PROTECTION REGISTER

1. Legislative context of processing

The following legislation shall apply to data processing in relation to the player protection register (the text of legislation is available on the link behind the titles of the Acts):

1. Act XXXIV of 1991 on the Organisation of Gambling (http://net.jogtar.hu/jr/gen/hjegy_doc.cgi?docid=99100034.TV),

2. Act CXII of 2011 on the right to informational self-determination and freedom of information (http://net.jogtar.hu/jr/gen/hjegy_doc.cgi?docid=A1100112.TV),

3. Government Decree 329/2015 (XI. 10.) on the detailed rules of responsible game organisation (hereinafter: Government Decree) (http://njt.hu/cgi_bin/njt_doc.cgi?docid=192084.313864).

2. Main processing conditions of the player protection register

2.1. Body or department keeping the player protection register

Name: Gambling Supervision Board (hereinafter: GSB)

Registered Office: 1051 Budapest, Sas u. 20-22

Postal address: 1372 Budapest, PO box (Pf.) 431

E-mail: ki.szef@nav.gov.hu

Website: http://www.nav.gov.hu/nav/szerencsejatek, www.szf.hu

2.2. Purpose of processing: The purpose of player protection register is to restrict the participation in gambling of people who: - were legally incapacitated by court or whose legal capacity has been declared partially limited by court, - made a significant self-restriction statement.

2.3. Legal grounds for data processing: The legal grounds for processing data in relation to the player protection register: - in case of restriction based on court decision statutory authorisation, - in case of significant self-restriction statements voluntary contribution of the player.

2.4. Scope of data processed: In case of restriction based on court decision the player protection register contains the following: - the player’s family and first name, family name and first name at birth, mother’s name, type and number of identification document, address, - the existence of restriction based on court decision, - the unlimited duration of restriction or the starting and end dates of limited duration. In case of restriction based on voluntary decision the player protection register contains the following: - the player’s family and first name, family and first name at birth, mother’s name, type and number of identification document, address, - the existence of restriction based on voluntary decision, - the type or types of gambling or the organisers specified by the player in the significant self-restriction statement.

2.5. Source of data: the GSB obtains the personal data from the court’s report and from the significant self-restriction statement. The operators of casinos and cardrooms, and the organisers of online casino games and remote gambling [together: gambling organiser(s) or organiser(s)] identify personal data in coded form from the electronic extract of the player protection register in case of restriction based on court decision and significant self-restriction statement.

2.6. Duration of processing: GSB shall process the data and the documents for a period 6 years after the removal/cessation of restriction.

3. Data processing operations carried out by the gambling organiser

3.1. Indication of gambling organiser

Name: CAI Hungary Kft.

Registered Office: 9400 Sopron, Lackner Kristóf utca 33/A

Postal address: 9400 Sopron, Lackner Kristóf utca 33/A

E-mail: cso@casinosopron.hu

Website: www.casinos.hu

3.2. The gambling organiser may have access to the player protection register by electronic data retrieval – in the context of providing enhanced protection to the vulnerable person – in order to find out whether the player’s participation in gambling is restricted according to the player protection register when the access occurs.

The organiser’s data retrieval is based on an authorisation in law, since under the legislation before the registration of a player the organiser is obliged to ascertain whether the player is subject to restriction.

The data retrieval is carried out in encrypted form, using codes, the organiser does not have direct access to personal data contained by the player protection register. The organiser’s IT system generates a code automatically from the data provided by the player (player’s family and first name, family and first name at birth, mother’s name, type and number of identification document, address). The data retrieval is carried out from the electronic extract containing the above player data encoded using the same method, made available to the organiser, updated by GSB as frequently as required by the regulations. If the electronic extract contains a record identical to the retrieved encoded data, then the player in question is included in the player protection register. In such a case the organiser does not provide the player with gambling opportunities.

During the retrieval the organiser does not have access to the written document constituting the basis for the restriction. For example, the organiser cannot have access to the court’s data service by retrieval.

The organiser has access exclusively to restrictions concerning the types of gambling included in its activity licence. The organiser does not have access to restrictions included in the register which are not covered by its activity licence.

4. Rights of the data subject

4.1. Right to request information: In case of the player protection register the player may request information in writing from the GSB regarding the following: - which of his or her personal data, - for what processing purposes, - from what source, - how long are processed by GSB, and to whom, when, on which legal basis and to which personal data did GSB provide access to.

The player may request information from the gambling organiser in writing on the data available to the organiser on the basis of the player protection register. Both the GSB and the organiser shall fulfill the player’s request no later than 30 days, in a letter sent to the address provided by the player - in case of online casino games and remote gambling in an electronic mail.

4.2. Right to rectification: The player may request the GSB or the gambling organiser the rectification of inaccurate personal data concerning him or her. Both the GSB and the organiser shall fulfill the player’s request no later than 30 days, in a letter sent to the address provided by the player - in case of online casino games and remote gambling in an electronic mail.

4.3. Right to erasure: The player may request both the GSB and the gambling organiser the erasure of personal data concerning him or her. The GSB and the organiser may reject the request to erasure if the processing of personal data included in the player protection register is the result of a judicial decision. Both the GSB and the organiser shall fulfill the player’s request no later than 30 days, in a letter sent to the address provided by the player - in case of online casino games and remote gambling in an electronic mail.

4.4. Right to blocking: Instead of erasure the player may request the GSB or the gambling organiser the blocking of his or her personal data. The blocking of data shall be maintained until the data processing purpose indicated by the player makes it necessary to store the data.

The player may request the blocking of personal data concerning him or her (e.g. significant self-restriction statement) for example, if he or she thinks that the processing of the GSB or the organiser is unlawful, however for the purpose of an administrative or judicial procedure initiated by the player the data shall not be deleted by the GSB or the organiser. In such a case the GSB or the organiser shall continue storing the personal data (e.g. significant self-restriction statement or the data available on the basis of the electronic extract of the player protection register) until the request of the authority or court, and then shall erase the data.

4.5. Right to object: The player shall have the right to object to the processing of personal data concerning him or her, if the GSB or the organiser forwards or uses personal data for direct marketing purposes, for opinion polling or scientific research. For example, the player may object if the organiser sends advertising messages to the player’s address without the player’s consent.

The player may object to data processing also when he or she considers that the data processing of the GSB or the organiser is exclusively necessary to comply with a legal obligation or to pursuit a legitimate interest, except data processing on the basis of a statutory mandate. For example, the player may not object the preservation of self-restriction or self-exclusion statements for 6 years, as the GSB and the organiser are required by legislation to fulfill this obligation.

5. Remedies available to the data subject

5.1. Procedure of the Hungarian National Authority for Data Protection and Freedom of Information

If the player considers the processing unlawful, he or she may initiate the procedure of Hungarian National Authority for Data Protection and Freedom of Information (hereinafter: NAIH), for example, if the GSB or the organiser fail to comply with his or her request as referred to in point 4.

Contact details of NAIH:

Name: Hungarian National Authority for Data Protection and Freedom of Information

Registered Office: 1125 Budapest, Szilágyi Erzsébet fasor 22/c

Postal address: 1530 Budapest, PO box (Pf.) 5

Telephone: +36 (1) 391-1400

E-mail: ugyfelszolgalat@naih.hu Website: www.naih.hu

5.2. Initiation of court proceedings

If the player considers the data processing unlawful, he or she may initiate civil proceedings against the gambling organiser or the GSB. The regional court shall have jurisdiction to hear the proceedings. The proceedings, at the player’s choice, may be brought before the court of the player’s domicile or the player’s habitual place of residence (a list is of regional courts and their contact details is available at: http://birosag.hu/torvenyszekek).

The Controller reserves the right to unilaterally amend this Policy. The Policy’s complete text in force can be consulted free of charge at the Controller’s reception and website at all times.

Kérem, várjon... Please wait..