en hu de

Data Processing Policy

This Data Management Policy (hereinafter: Policy) contains the rules of the gaming casino operated by CAI Hungary Kft. (hereinafter: Data Controller or Casino) in regards of managing the personal data of the players.

Please read the contents of this Policy carefully and attentively. Should you have any questions or comments in relation to the provisions set forth herein, do not hesitate to contact us before accepting the Policy.

I.

1.) Data Controller data

Data Controller’s name: CAI Hungary Kft.

Company registration number: 08-09-027729, registered by the Company Registry Court of Győr Regional Court,

Headquarters: 9400 Sopron, Lackner Kristóf utca 33/A.

Tax number: 25452693-2-08,

E-mail: cso@casinosopron.hu

Phone: +36 99 512 350

Data Protection Officer: Dr. Ács Tamás László

Data Protection Officer contact details:

E-mail: acs@acstamas.eu

Address: 1016 Budapest, Avar utca 8.

Phone number: +36 20 9 425 022

2.) Legislation applied in preparing the Policy

The Data Controller respects the data subject’s personal data, and obliges itself to ensure that its data management process complies with this Policy and with the specific provisions of legislation in force particularly, but not exclusively:

- Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR),

- Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: Privacy Act),

- Act XXXIV of 1991 on the organisation of games of chance (hereinafter: Gambling Act),

- Act LIII of 2017 on Prevention and Combating of Money Laundering and Terrorist Financing (hereinafter: Anti-Money Laundering Act),

- Act LII of 2017 on the Implementation of Financial and Asset-Related Restrictive Measures Ordered by the European Union and the UN Security Council,

- Act CL of 2017 on the Rules of Taxation (ART),

- Act C of 2000 on Accounting (Accounting Act)

and is in compliance with other regulations and directives concerning data managing.

II.

DATA MANAGEMENT BY THE DATA CONTROLLER

1.) General customer registration records

Scope of data managed:

- name,

- mother’s name,

- place and date of birth,

- gender

- nationality,

- address, place of residence

- type, number and expiry date of the identification document

- photo

- signature

-entrance card serial number, date, period of validity.

Purpose of data management: customer due diligence, verification of identity documents.

Legal basis for data management: legislative provision - Anti-Money Laundering Act §6-7.

Duration of data management: 8 years from the termination of the business relationship.

Data processor: NOVOMATIC Hungária Kft., headquarter: 9352 Veszkény, Fő u. 186.

Special customer registration records

Scope of data managed:

- VIP status,

- promotional benefits,

- messages related to the service to be provided to the customer.

Purpose of data management: performance of a contract with a customer.

Legal basis for data management: GDPR Article 6. paragraph (1) point b)

Duration of data management: 8 years from the termination of the business relationship.

Data processor: NOVOMATIC Hungária Kft., headquarter: 9352 Veszkény, Fő u. 186.

2.) Politically Exposed Person Register

Scope of data managed:

- name,

- mother’s maiden name,

- place and date of birth,

- type and number of identification document,

- place of residence/address.

Purpose of processing: enhanced customer due diligence.

Legal basis for processing: Anti-Money Laundering Act §19.

Duration of processing: 8 years from the termination of the business relationship.

3.) Player identification

Data subjects:

- players, who want to enter the gaming casino area,

- players, who perform a credit card or currency exchange transaction,

- players, who executes a financial transaction with a value of HUF 2 million or more within one game day,

Scope of data processed:

- name,

- mother’s name,

- nationality.

- place and date of birth,

- address, place of residence

type, number and expiry date of the identification document,

- photo

- date of entry

- last 4 digit of credit card, date and amount of transaction

Purpose of data management: identity check of the customer (player) and the actual owner.

Legal basis for processing: Anti-Money Laundering Act §13., §11. (1); § 11. (4)

Duration of processing: 8 years from the termination of the business relationship.

Data processor: NOVOMATIC Hungária Kft., headquarter: 9352 Veszkény, Fő u. 186.

4.) Management of EU and UNSC sanctions lists,

Scope of data managed:

- name,

- mother’s name,

- place and date of birth,

- nationality,

- address, place of residence

- type, number and expiry date of the identification document.

Purpose of data management: identification and constant monitoring of persons subject to financial and property restriction measures.

Legal basis for data management: Act LII of 2017. §3.; §4. and §16.

Duration of data management: 8 years from the termination of the business relationship.

5.) Security surveillance

Scope of data managed:

- name,

- mother’s name,

- place and date of birth,

- nationality,

- address, place of residence

- type, number and expiry date of the identification document,

- photo.

Purpose of data management: constant monitoring of the business relationship with players entering the gaming casino area

Legal basis for data management: legislative provision - Anti-Money Laundering Act §11. (1).

Duration of data management: 8 years from the termination of the business relationship.

6.) Camera recording

Scope of data managed: video recording of persons entering the gaming casino area.

Purpose of data management: Prevention and combating of money laundering and terrorist financing, insurance of the interconnection of the data obtained during customer due diligence measures with player transactions, and recording of the image of natural persons / players and videos of their activities within the facility, and storage of the images in the electronic registration system for the effective performance of supervisory activities.

Legal basis for data management: Anti-Money Laundering Act §7. (9).

Duration of data management: In case of cameras prescribed by the Gambling Supervision Board the gaming casino is obligated to preserve the video recordings for 45 days from the date of recording. The gaming casino is obligated to extend this deadline based on the indication of the supervisory authority specified in §5. of the Anti-Money Laundering Act until the procedure of the supervisory authority is completed.

7.) Suspicion of money laundering and terrorist financing

Scope of data processed:

- name,

- mother’s name,

- place and date of birth,

- nationality

- address, place of residence

- type, number and expiry date of the identification document

Purpose of data management: notification obligation fulfilment.

Legal basis for data management: Anti-Money Laundering Act §30.

Duration of data management: 8 years from the termination of the business relationship.

8.) Usage of suspect counterfeit banknotes

Scope of data managed:

- name,

- place and date of birth,

- address, place of residence

- type, number of the identification document.

Purpose of data management: notification obligation fulfilment.

Legal basis for data management: Anti-Money Laundering Act §30.

Duration of data management: 8 years from the termination of the business relationship.

9.) Marketing activities

Scope of data managed:

- name,

- place and date of birth,

- address, place of residence

- type, number of the identification document,

- credit card number.

Purpose of data management: enforcement of a legitimate interest of a third party.

Legal basis for data management: GDPR Article 6. paragraph (1) point b), contract with Six Payment Services.

Duration of data management: 1 year from the date of withdrawal.

10.) Register of prize certificate

Scope of data managed:

- name,

- mother’s birth name,

- place and date of birth,

- type and number of the identification document,

- place of residence /address,

- nationality,

- tax identification number.

Purpose of data management: a prize certification may be supplied by the gaming casino at the request of a player who is entitled to winnings of HUF 2 million or more or the equivalent in a foreign currency, indicating a description of the title and the exact amount of the prize.

Legal basis for data management: Gambling Act §1. (8).

Duration of data management: 8 years from the termination of the business relationship.

11.) Data queried from the Players Protection Registry

Scope of data managed:

- name,

- mother’s birth name,

- place and date of birth,

- type and number of the identification document,

- place of residence /address.

Purpose of data management: The Gambling Supervision Board keeps a register about players affected by self-constraint and self-exclusion measures and persons placed under guardianship by a court, the so-called Players Protection Registry, from which the Data Controller requests and manages data when a player enters the casino.

Legal basis for data management: Gambling Act §1. (6).

Duration of data management: 6 years from the generation of data.

Data processor: NOVOMATIC Hungária Kft., headquarter: 9352 Veszkény, Fő u. 186.

12.) Casino ban registry

Scope of data managed:

- name,

- mother’s birth name,

- place and date of birth,

- type and number of the identification document,

- place of residence /address,

- nationality.

Purpose of data management: The Data Controller keeps a register for the effective implementation of the refusal of entry and participation in gambling (hereinafter: ban) against a player who has seriously breached a contract to participate in gambling.

Legal basis for data management: Gambling Act §1. (5c).

Duration of data management: 6 years from the date of ordering the ban.

Data processor: NOVOMATIC Hungária Kft., headquarter: 9352 Veszkény, Fő u. 186.

13.) Self-constraint register

Scope of data managed:

- name,

- mother’s birth name,

- place and date of birth,

- type and number of the identification document,

- place of residence /address,

- nationality,

- duration, date of lifting of the self-constraint.

Purpose of data management: register of self-constraints and self-exclusions, insurance of player protection, and data provision for the Gambling Supervision Board.

Az Legal basis for data management: fulfilment of a legal obligation – GDPR Article paragraph (1) 6. point c) – Gambling Act §1. (5b) and Government Decree No. 329/2015 (XI.10.) §16.-17.

Duration of data management: 6 years from the generation of data.

Data processor: NOVOMATIC Hungária Kft., headquarter: 9352 Veszkény, Fő u. 186.

14.) Handover of promotional prizes

Scope of data managed:

- name,

- signature.

Purpose of data management: fulfilment of mandatory data provision for the Gambling Supervision Board.

Legal basis for data management: ART §50.

Duration of data management: according to the Accounting Act in force at any time, at least 8 years.

15.) Register of abandoned chips (orphans):

Scope of data managed:

- name,

- identification number registered in the system.

Purpose of data management: registration of abandoned chips found in the casino, protection of player property.

Az Legal basis for data management: ART §50.

Duration of data management: according to the Accounting Act in force at any time, at least 8 years.

16.) Website operation

Scope of data managed: IP address of website (home page) visitors, time of visit, a data of pages viewed, name of browser programme used.

Purpose of data management: On the home page of the Data Controller a website traffic data analysis software is running. Website address: www.casinosopron.hu

Az Legal basis for data management: GDPR Article 6. paragraph (1) point a)

Duration of data management: until the purpose is fulfilled, but at the latest until the deletion on the request of the data subject.

17.) Community site

Scope of data managed:

- name,

- comment,

- rating.

Purpose of data management: informing of players on the Facebook and Instagram page of the Data Controller.

Az Legal basis for data management: GDPR Article 6. paragraph (1) point a)

Duration of data management: until the purpose is fulfilled, but at the latest until the deletion on the request of the data subject.

For the usage of the „Casino Sopron” Facebook and Instagram pages of the gaming casino the user must have an own account on Facebook social networking site.

By using Facebook and Instagram the user declares, that he/she had previously understood and accepted the own terms of use and data management policy of Facebook and Instagram:

https://www.facebook.com/policy.php

https://www.instagram.com/terms/accept/?hl=hu

Facebook and Instagram will receive the information that the user wishes to post on the casino’s Facebook or Instagram page, under the user’s IP address.

Regarding the data (name, photo, comment, rating) to be posted by the user, the user may exercise his/her rights directly towards Facebook and Instagram.

The casino is entitled to initiate the deletion of any data detrimental to the repute or the rights of the casino or any other person.

18.) Chatbot service

Scope of data processed:

The data required for the operation of Chatbot and available according to the standard settings of the platform, in particular: App user ID - ID generated for Chatbot, user name and any other data provided by the user (text, button usage, image, email address, internal ID, telephone number. In addition, the platform used for the service, the language, the date of registration, the data provided during the chat conversation. The range of data processed may vary with each function.

Purpose of data management:

Completion of tasks under the Data Management Chatbot service contract.

Legal basis for data management: GDPR Article 6 (1) (a).

Duration of data management:

Until the purpose is achieved, but at the latest at the request of the data subject.

Chatbot conversations are stored on the following cloud-based repositories:

Cloud-based storage provided by Microsoft Azure (Microsoft Ireland Operations Limited; Seat: 70 Sir Rogerson's Quay, Dublin 2, Ireland; Availability: https://azure.microsoft.com/hu-hu/);

Cloud-based hosting provided by the Amazon Web Service (AMAZON WEB SERVICES EMEA SOCIÉTÉ À RESPONSABILITÉ LIMITÉE; Headquarters: 38 AVENUE JOHN F. KENNEDY, L-1855 LUXEMBOURG; Registration number: R.C.S. LUXEMBOURG: B186284; Availability: https://aws.amazon.com/)

DigitalOcean, LLC. (101 6th Ave, New York, NY 10013, United States; https://www.digitalocean.com/)

Google Cloud Platform által biztosított felhő alapú tárhely, Google Ireland Limited; Gordon House, Barrow Street, Dublin 4, Ireland; https://cloud.google.com/

III.

DATA CONTROLLER’S PROCEDURE

1.) Data Controller’s Procedure

The Data Controller does not manage data in an automated manner therefore the Data Controller does not use automated decision-making and profiling.

The Data Controller is excluded from the scope of Code of Conduct.

2.) Data Security

The Data Controller takes all necessary safety steps, organisational and technical measures to ensure the highest level of security of personal data and to prevent any unlawful alteration, deletion or use.

The Data Controller takes all necessary measures to ensure the integrity of the data, i.e. the accuracy, completeness and up-to-date status of the personal data it manages and/or processes.

3.) Exclusion of liability

The Data Controller shall not be liable for any mistakes arising beyond its control, and for any consequence or damage arising as a result thereof.

For damages caused by behaviour constituting a breach of security of information systems (including the use of viruses and other software designed to cause damage, the unauthorised access to personal and other data, and other hacking activities) or arising as a result thereof, the persons engaged in such behaviours shall be solely liable, therefore the Data Controller excludes its liability.

If the Data Controller becomes aware, that the user, contrary to the provisions of this Policy or legislations in general, provided the personal data of another person, uses unlawfully publicly available or unlawfully obtained personal or other data, or does not comply with the provisions of this Policy in general, the Data Controller will take the necessary legal actions.

4.) Persons with access to the Data Controller's database

In order to verify the lawfulness of the access and to inform the data subject, the gaming casino shall keep a register containing the date of the access to the register of personal data processed by it.

IV.

RIGHTS OF THE DATA SUBJECT

1.) Right to information and access

You can request information from the Data Controller in writing about, that:

• what personal data,

• on what legal basis,

• for what purpose,

• from what source,

• for how long,

• and whether your personal data is still managed,

• for whom, when, for what reason and to which personal data the Data Controller has provided access to or to whom your personal data has been transferred to.

In addition, you can request a copy of your personal data stored by the Data Controller.

The Data Controller will fulfil your request within a maximum of 30 days, in the reply letter sent to the contact details provided in the request.

2.) Right to rectification

You can ask the Data Controller in writing through the contact details provided to modify or clarify any of your personal data.

The Data Controller will fulfil your request within a maximum of 30 days, in the reply letter sent to the contact details provided in the request.

3.) Right to erasure (‘right to be forgotten’)

You can request the deletion of your personal data from the Data Controller in writing through the contact details provided.

The Data Controller will reject the request for deletion if the legislation obliges the Data Controller to the further storage of personal data. However, if there is no such obligation for the personal data requested to be deleted, the Data Controller will comply with the request for deletion within a maximum of 30 days and will notify the applicant in a reply letter sent to the contact details provided by him/her.

4.) Right to restrict ("block") data managing

You can request the restriction of data managing from the Data Controller in writing through the contact details provided. In the event of a restriction, the Data Controller will only store the personal data, other data management activities will only take place with the consent of the person requesting the restriction due to the submission of a legal claim or in the public interest.

Data restriction can be requested if:

• you believe that your information is inaccurate, or

• you believe that your data has been processed unlawfully by the Data Controller, but you do not want the data to be deleted,

• you require the data management to enforce or protect your legal claim, but the Data Controller no longer needs this data.

The Data Controller will comply with the request within a maximum of 30 days and will notify the applicant in a reply letter sent to the contact details provided by him/her

5.) Right to withdraw consent

You may withdraw your consent to the data managing at any time during the data managing period in writing through the contact details provided. In the event of withdrawal of consent, the Data Controller's data management prior to withdrawal will remain lawful.

The Data Controller will withdraw your consent according to your request within a maximum of 30 days and will notify the applicant in a reply letter sent to the contact details provided by him/her.

6.) Remedies available to the data subject regarding data management

If the data subject has any complaints, remarks or suggestions in connection with the data managing, he/she can do so at the Data Controller’s or the Data Protection Officer’s contact details indicated in section I.1 of the Policy.

You can also file a complaint about data management with the Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság):

Name: Nemzeti Adatvédelmi és Információszabadság Hatóság

Headquarter: 1055 Budapest, Falk Miksa utca 9-11.

Homepage: http://www.naih.hu

In the event of unlawful data managing experienced by you, you may initiate a civil lawsuit against the Data Controller. The trial falls within the jurisdiction of the tribunal.

V.

Amendment to the Policy

The Data Controller reserves the right to amend this Policy. In case of amendment, the amended Policy should be made available at the reception of the Data Controller’s headquarter, and it should be uploaded on the Data Controller’s website. The amendment shall enter into force the day after the amended Policy had been made available. Following the amendment’s entry into force, the use of the Controller’s services entails the adoption of the amendment of the data managing policy.

This Policy is effective from 20 December 2021.

Kérem, várjon... Please wait..