Privacy Notice Regarding the Processing of Personal Data of OlyBet AutomatKlub Users

1. General Provisions

1.1. This privacy notice applies to the processing of personal data of users by the OlyBet AutomatKlub operator International Evona d.o.o. (hereinafter referred to as OLYBET).

1.2. The data controller of your personal data is the company with OIB: 76118645526, email: split.reception@oc.eu.

1.3. Contact details of OLYBET’s Data Protection Officer: zaštita.podataka@oc.eu, International Evona d.o.o., registered at Koledovčina 1, 10000 Zagreb, Croatia, address: Koledovčina 1, 10000 Zagreb, Croatia.

1.4. OLYBET implements all necessary technical and organizational measures to protect personal data from unauthorized access, unlawful disclosure, accidental loss, alteration, destruction, or other unlawful processing. We also require our business partners, to whom we transfer personal data in accordance with this privacy notice, to implement the necessary organizational, physical, and IT security measures. However, please note that despite all protective measures, certain risks such as cyberattacks, power outages, software errors, or malicious actions by individuals may still occur. Upon detection of such a breach, we will take all reasonable steps to mitigate and minimize the risk for our clients.

1.5. Provisions on the processing of personal data may also be included in contracts between users and OLYBET. In case of conflict between different provisions, the provisions stipulated in the contract will prevail.

1.6. If OLYBET updates this privacy notice, it will publish the revised version without delay on its website olybetautomatklub.hr.

2. User Rights Related to the Processing of Their Personal Data

2.1. The user has the right to be informed whether OLYBET processes their personal data and, if so, may request and obtain a copy of such data.

2.2. The user has the right to request the correction of inaccurate personal data concerning them.

2.3. The user has the right to withdraw their consent to data processing at any time (e.g. consent for direct marketing), if the processing is based on consent. Withdrawal of consent does not affect the lawfulness of processing before the withdrawal.

2.4. The user has the right to request deletion of their personal data. OLYBET may delete data processed based on consent or legitimate interest if OLYBET’s interests do not outweigh the user's. This right does not apply to data processed for legal or contractual obligations while those obligations are in effect.

2.5. The user has the right to object to the processing of their personal data (especially when based on legitimate interest) and to restrict the processing when justified.

2.6. The user has the right to receive their personal data, provided based on consent or contract, in a structured and machine-readable format (if technically feasible) for transfer to another company.

2.7. The user has the right to lodge a complaint about data processing with the Croatian Personal Data Protection Agency (AZOP): Selska cesta 136, 10000 Zagreb, email: azop@azop.hr.

3. Processed Personal Data and Their Sources

3.1. OLYBET processes the following user data:

• 3.1.1. Registration data: name, surname, residence, date and place of birth, personal identification number, ID document number and issuer, date and time of casino entry, personal photo.

• 3.1.2. Identity verification data: type, number, issue and expiry date of ID, copy of document, check results from self-exclusion and sanctions lists, country of residence.

• 3.1.3. AML (SPNFT) data: profession, country of residence, politically exposed person status, source and origin of funds, details of cash transactions over €2,000.

• 3.1.4. Club Reward Card data: card number, issue date.

• 3.1.5. Gambling data: game location, type and number of devices, start and end time, amounts wagered, bets placed and results.

• 3.1.6. Transfer data: bank account IBAN or last 4 card digits, amount transferred or paid, time and location of transaction.

• 3.1.7. Marketing & communication data: email and/or phone number, preferred language, product/service preferences, direct marketing consent, message content, date/time.

• 3.1.8. Visual data: person’s image, club name, camera number, date/time.

• 3.1.9. Website data: IP address (and location), ISP, referring URL, access time/date, session key/token, browser type/version, OS, data volume/status, MAC address.

• 3.1.10. Cookie data: OlyBet uses cookies for optimizing website functions. Some cookies may collect personal data. See OlyBet’s Cookie Policy for details.

3.2. To comply with applicable regulations, especially Anti-Money Laundering Law, Gambling Law, Foreign Exchange Law, Accounting Act, or the General Tax Act, the following data is processed: name, surname, residence, date of birth, ID number (OIB), citizenship, type and issuer of ID, ID number, date/time/amount/currency of transactions, transaction purpose (if high AML risk), and video surveillance footage. Data will be processed as required by law.

3.3. For marketing purposes, if consent is given, we may contact you via email or phone. You may object to receiving promotional material at any time (including removal from marketing lists). Your contact data will be processed during the contractual relationship unless you object.

3.4. For safety and property protection, video recordings of your face captured in our premises may be processed. Based on the Law on the Protection of Monetary Institutions, such recordings will be retained only as long as necessary, usually several days to a few weeks.

3.5. For the loyalty program (Club Reward Card) and to fulfill the related contract, personal data provided during card application is processed, as they are necessary for the card's functionality. The card cannot be issued without this data. Without proper processing, reward points and card levels cannot be calculated or determined. Users are responsible for providing accurate data. In case of doubts and inability to verify data, OLYBET reserves the right to refuse card issuance.

3.6. OLYBET does not process special categories of personal data (e.g. race, ethnicity, religion, beliefs, sexual orientation, political views, health, genetic or biometric data).

3.7. Depending on purpose and nature, OLYBET collects user data from the user, public sources, or third parties such as government authorities, national databases, banks, and Acuris Risk Intelligence LTD (which provides databases for PEP and sanctions checks).

4. Legal Basis and Reasons for Processing Personal Data

4.1. Legal bases: compliance with legal obligations, performance of contracts, user consent, and OLYBET’s legitimate interest.

4.2. Processing purposes: user identification, financial transaction registration, "know your customer" obligations, provision of gambling services, marketing, user feedback processing, risk profiling, customer base growth, loyalty building, value-added services, resource management, environment and website improvement, process and staff monitoring, fraud prevention, document archiving, whistleblower report processing.

4.3. Categories by legal basis:

• 4.3.1. Legal obligation: identity verification, AML data, gambling data, visual data.

• 4.3.2. Contractual obligation: gambling data, transfer data, Club Reward Card data.

• 4.3.3. Consent: marketing/communication data, cookies.

• 4.3.4. Legitimate interest: reward card data, visual data, gambling data, cookies, website visit data, registration data.

4.4. When processing is based on legal or contractual obligations, users are required to provide the relevant data. Failure to do so will prevent OLYBET from fulfilling obligations and restrict access to services.

4.5. When processing is based on legitimate interest, OLYBET has assessed that its interest outweighs the user's rights and interests.

4.6. If processing is based on consent, users can withdraw it at any time by contacting the Data Protection Officer (see 1.3) or clicking the unsubscribe link in any marketing message.

5. Profiling and Automated Decision-Making

5.1. Profiling is used in the following processes and is based on the following logic:

• Advertising of services/products offered by OLYBET, taking into account the user's number of visits, services used, and games played.

5.2. Automated decisions are used in the following processes and are based on the following logic:

• 5.2.1. Generating a weekly free game for the loyalty card user, based on the user's game turnover in the past 30 days.

• 5.2.2. Upgrading users to bronze, silver, and gold levels based on reward points, which are calculated from the user's game turnover over the previous 6 months.

   

6. Transfer of Personal Data

6.1. To provide services and/or fulfill its legal obligations, OLYBET uses partners as data processors, who process data based on and within the scope of OLYBET's instructions.

6.2. While processing personal data, OLYBET will transfer your personal data to the following recipients: public authorities, courts, banks, auditors and legal advisors, insurance companies, analytics service providers, fraud detection and prevention providers, user authentication providers, archiving service providers, information and communication transmission service providers, intermediaries for politically exposed persons (PEP) and sanction screening, money transfer intermediaries, whistleblower platform operators.

6.3. If OLYBET's data processing partner is located outside the European Union, the safeguards used for the transfer of personal data include: an adequate level of data protection in the recipient country according to a European Commission decision, or the use of Standard Contractual Clauses developed by the European Commission within a cooperation agreement.

6.4. Joint controllers of user data are Olympic Entertainment Group AS, OB Holding 1 OÜ (both located at Pronksi 19, Tallinn 10124, Estonia, +372 6671250, estonia@oc.eu), and Modern Games d.o.o., located at the same address as OLYBET. They are all part of the same corporate group as OLYBET and jointly process user data for the purposes of service/product marketing, joint campaign organization, communication (including direct marketing related to OlyBet online Casino and Olybet Casino Osijek on one hand and OLYBET on the other, depending on consent), user risk profiling, and OLYBET resource management. These parties have signed an agreement to share personal data for the purposes outlined in this Privacy Notice.

6.5. Your personal data may be disclosed to trusted third parties who provide us with administrative or technical support (i.e., processors). We may also share your personal data with public authorities or law enforcement agencies if necessary to meet legal obligations, with external advisors, and with other personnel bound by confidentiality obligations.

6.6. Only a limited number of our employees will have access to your personal data. Employees are obligated to maintain the confidentiality of your data and follow strict confidentiality protection measures. They may only process data under our explicit instructions.

7. Data Retention Periods

7.1. User personal data is stored until the purpose of processing is fulfilled or until obligations arising from applicable laws are met. We retain personal data for as long as necessary to fulfill the specific processing purpose—typically during the contractual relationship or for the period required by applicable law. Where we process your data based on your consent, such data will be processed as long as your consent remains valid. You may withdraw or limit your consent at any time, after which we will stop processing the data for that purpose.

7.2. According to gambling, AML, and accounting legislation, OLYBET must store identification, AML, and gaming data for at least 10 years from the end of the customer's business relationship. After this period, personal data will generally be deleted unless OLYBET determines a legitimate interest to retain some or all of the data, in which case the data will be retained no longer than necessary.

7.3. Video surveillance recordings are stored for at least 14 days, but no longer than 30 days.

8. Video Surveillance

8.1. OLYBET uses video surveillance for security purposes at its offices, gaming clubs, and gaming areas. Entry areas, customer zones, cashier areas, bars, and the space in front of gaming room entrances are under video surveillance.

8.2. OLYBET uses video surveillance to meet legal obligations for ensuring the safety of visitors, employees, and property, for detecting and preventing illegal activities, and for protecting its legal rights.

8.3. CCTV images and recordings are reviewed exclusively by OLYBET staff responsible for monitoring. If requested by competent authorities, recordings may also be shared with them.

9. Personal Data Protection Measures

To implement player protection standards, OLYBET has appointed a person responsible for implementation, training, and enhancement of player protection standards. To ensure the highest possible level of protection, OLYBET has taken all necessary and currently available technical, administrative, and physical security measures.

9.1. Technical measures include:

• All electronically collected data is stored digitally on the company's server located in an authorized data center;

• Backups are ensured for all collected data;

• The company's entire IT system is protected by the latest antivirus software to prevent unauthorized access;

• Two-factor authentication is used for all remote connections and limited to senior support staff;

• All online payments and associated data are protected using encryption technology and a state-of-the-art secure online payment system.

9.2. Administrative measures include:

• Only employees authorized by company management have access to personal data;

• All employees involved in implementing data protection measures are specially trained;

• Staff involved in data collection have limited access and are not familiar with the data to the extent that would allow misuse.

9.3. Physical security includes:

• Restricted access (with keys held only by authorized persons) and video surveillance of areas where personal data is stored (e.g., server rooms);

• Full video surveillance and prevention of unauthorized access to the company headquarters and the data center where such areas are located;

• A security service monitors the building housing the company headquarters and data center, controls the entry of unauthorized persons, and ensures anti-burglary and fire protection systems are active.

   

10. Data Confidentiality

Client data and any other information obtained by OLYBET while providing services or conducting business with clients is considered a trade secret. OLYBET may disclose such data only in cases prescribed by law. Personal data collected under legal obligations must be shared with government bodies such as the Ministry of Finance, Tax Administration, Anti-Money Laundering Office, and other competent public authorities.

11. Exercise of rights

In each of our clubs, you can find a brief guide to your rights and a “Request Form for Exercising Rights under the General Data Protection Regulation (GDPR).” You are welcome to request them from our staff.