DATA PROTECTION POLICY
DATA PROTECTION POLICY OF Hit Larix d.d.
Hit Larix d.d. is aware that the right to privacy is one of the basic human rights, therefore we respect our customers’ privacy and handle their personal data responsibly, carefully and in accordance with the applicable legislation in force in the Republic of Slovenia and the company’s internal acts.
The present text is intended for your familiarization with the Data Protection Policy of Hit Larix d.d. in regard to the protection of our customers’ rights and to inform you of your rights in regard to the protection of personal data you entrusted us with and the purposes of its use.
A. WHY AND ON WHAT LEGAL GROUNDS WE USE PERSONAL DATA
1. Performance of Contracts
Hit Larix d.d. processes personal data in the context of and for the purposes of performance of contracts.
On the grounds of a contractual legal basis, personal data are processed in the necessary extent for preparing an offer, concluding of a contract, during the negotiation phase, after receiving an offer or the data subject’s inquiries, for notifying about changes to conditions of sale, implementation of changes in a subscription or other contractual relationship, charging of services, resolving potential disputes and refunds, sending notices to data subjects in regard to the performance of the contractual relationship. To the extent necessary for authentication and identification of transactions, Hit Larix d.d. also processes data for the purposes of calculating commissions for contractual partners, who sell services to data subjects, as well as for defining their efficiency and for preparing reports and planning next sales activities.
Furthermore, Hit Larix d.d. processes personal data for the purpose of performing rights and obligations in regard to the loyalty program. Use of your personal data, needed for the purpose of performance of contract, covers the use of your personal data which is necessary for providing Elite Player’s Club services, e.g. tracking of collecting and redeeming of points and other benefits of the Membership Card and other activities you carry-out when using EPC Card, as that allows us to, on the basis of further processing of your personal data, classify you in a specific member tier (member, gold and exclusive Membership Card and similar). You can read more about this in the General Terms and Conditions for the Elite Player’s Club Operation
Hit Larix d.d. is not liable for potential abuse or disclosure of the data subject’s personal data, which is a result of the data subject’s improper conduct.
2. Fulfillment of Legal Requirements
Use of your personal data for fulfilling legal requirements covers especially the record keeping of safety events, recording of invoicing, camping guests, entrance of players and non-players, ensuring video surveillance, maintaining surveillance videos about the activities in casino and other HIT Larix premises, record keeping of received cash prizes and gifts by the guests in the casinos, recordkeeping of players in the online casino, record keeping of other transactions performed in relation towards Hit Larix d.d. and guests who performed those transactions.
3. Use Your Personal Data on the Grounds of Hit Larix d.d.’s Legitimate Interest
Hit Larix d.d. also uses personal data on the grounds of legitimate interest pursued by Hit Larix d.d. or a third person, except when the interests or the fundamental rights and freedoms of the data subject, who requests the protection of their personal data, override the interests of Hit Larix d.d..
In accordance with its legitimate interest, Hit Larix d.d. process personal data in a necessary and proportionate scope for the purposes of lowering the risk of a breach of the company’s website (ensuring information security, reducing the risk of an unauthorized access to important business information, personal data and information system) and for the statistical purposes intended to prepare reports for management, wherein such reports always include only anonymised data.
Other legitimate interests may include prevention of abuse, establishment of claims and defence against claims in administrative and legal proceedings.
Hit Larix d.d. may, in case of suspicion of abuse, to an appropriate and proportionate extent process the data of a data subject or the purpose of identification and prevention of potential scams or abuses and may, if appropriate, forward this data to the police, State Prosecutor’s Office or other competent bodies.
4. Use of Personal Data on the Grounds of Consent
Hit Larix d.d. in specific cases asks their customers and other data subjects to give consent for processing of their personal data in order to assess several personal aspects of a data subject, such as analysis of personal taste, interests and behaviour of such data subject (profiling) for the purpose of creating and presenting personalized offers of goods and services to the data subject, including informing or direct marketing and for the purpose of conducting market research. In such cases, the processing of personal data is carried out within the framework of the consented to (with the data subject’s statement of consent) extent of personal data, purpose and agreed upon communication channels, until the withdrawal of such statement.
The consent can refer to informing about the offer and services, preparation of personalized offers or performing of services with added value. The informing is carried out via channels chosen by the data subject in the consent.
Hit Larix d.d. in case that a data subject gave appropriate consent, uses their personal data for:
INFORMING ABOUT BENEFITS
We use personal data of Elite Player’s Club members acquired on the basis of the Elite Player’s Club membership and activities in this regard, for informing them about benefits that members of the club are entitled to on the basis of the Elite Player’s Club membership and other potential activities that they perform when using Elite Player’s Club membership card. This applies to all benefits that we grant to all Elite Player’s Club members, those that individual members are entitled to on the basis of their Elite Player’s Club membership tier (owner of member, gold or exclusive Membership Card), as well as those that belong to members on the basis of potential daily, weekly, monthly, semi-annual colleting and redeeming of points, other benefits on the basis of Membership Card usage and other valid promotions for individual business units in accordance with relevant conditions for specific business unit promotion.
We also use personal data of data subjects who gave the appropriate consent for informing them about the current offer and personalized offers, new offers or services, prize contests and other business units’ news, as direct marketing can only be tailored to the data subject’s interests and wishes in such manner. Personal data, for which consent was given, are being processed, as well as personal data on the basis of the following:
– merging of members into individual groups on the basis of the processing of personal data, and
– analysis of personal data on an individual level, which is necessary for classifying members into the above-mentioned groups and preparing offers tailored to the needs of individual data subjects on the basis of that.
SURVEYS, ANALYSES AND RESEARCH
We use personal data, acquired on the basis of your Elite Player’s Club membership and activities in relation to it, for conducting surveys, analyses and research that are not intended for marketing, but primarily for improving our business units’ offers and services and these include analyses of operation, visits, etc.
EXISTENCE OF COMPUTER (AUTOMATED) PROCESSING OF YOUR PERSONAL DATA
Hit Larix d.d. uses computer systems for the processing of personal data, which enable automatic processing of personal data. These systems are essential (and are used) for appropriate classification of Elite Player’s Club members into groups (member, gold, exclusive Membership Card) on the basis of designed profiles, as well as for appropriate tracking of collected and redeemed points and other Membership Card benefits, which are acquired by the members with their activities.
The notifying of individual Elite Player’s Club members about acquired benefits, direct marketing on the basis of your personal data acquired in the context of your Elite Player’s Club membership, as well as sending you surveys and performing analyses and research on the basis of the survey’s findings and other activities in the context of the Elite Player’s Club is automated (i.e. exclusively on the basis of computer’s management) if you gave your consent for such processing.
Decisions on the basis of personal data, which are based only on the above-described automated processing of personal data in the context of Elite Player’s Club membership, including the formation of segments and profiles on its basis, and decision which for the data subject entail certain legal effect or similarly affect the data subject’s position, they have the right to submit a request to annul such decision. This exception is valid if such a decision is necessary for providing services in regard to the membership in the Elite Player’s Club, if there is an explicit legal basis on a national or EU level for such processing or if it is justified with the data subject’s explicit consent for that purpose.
In case of automated decision-making, segmenting and profiling, which is necessary for providing services related to the Elite Player’s Club membership or is justified on the basis of the data subject’s explicit consent, the data subject has the right to request that the decision be personally reviewed by us (the right to obtain human intervention on the part of the controller), to express their point of view, as well as to contest the decision. The manner of exercising your rights in regard to the processing of your personal data is described below in the context of the section YOUR RIGHTS IN REGARD TO THE PROCESSING OF YOUR PERSONAL DATA.
5. Website and Online Services
Hit Larix d.d. only collects data from visitors on a voluntary basis and does not require users to provide information as a condition for visiting its websites.
We carefully protect the personal data collected through our websites and do not transfer the data to third persons.
Hit Larix d.d. may collect personal data acquired from the visitors of the websites, when you:
• use our website,
• use our services,
• get in contact with us,
• receive our services.
Hit Larix d.d. uses personal data for the following purposes:
• to provide visitors the requested information,
• to improve the user experience in regard to our services and our website,
• to inform about services, novelties and offers, insofar visitors gave their explicit consent or subscribed to receiving news,
• to ensure a safe use of services.
We may collect the following types of information:
1. Data you Provided for via E-Forms and Inquires
• contact data (name, surname, e-mail address, telephone number);
• content of your message.
2. Automatically Collected Data by the Website’s Analytics
HIT d.d., Nova Gorica also collects personal data when visiting their websites via cookies for the purpose of ensuring better functionality and user experience, safety, uninterrupted functioning of the website or web portals and counting site visits.
Cookies, which are used on the majority of websites both locally and around the world, enable quick, friendly and easy collaboration between you and the website, as well as provide you a user-friendly experience if you consent to their use. Certain cookies enable us to sample and segment visitors and thus ensure that content is tailored to the interests and preferences of every individual web user.
What are cookies?
Types of Cookies we use
Manage cookie preferences
You can change your cookie preferences any time by clicking the above button. This will let you revisit the cookie consent banner and change your preferences or withdraw your consent right away.
In addition to this, different browsers provide different methods to block and delete cookies used by websites. You can change the settings of your browser to block/delete the cookies. Listed below are the links to the support documents on how to manage and delete cookies from the major web browsers.
If you are using any other web browser, please visit your browser’s official support documents.
You can read more about behavioral advertising on the following link: http://www.youronlinechoices.com/sl/about-behavioural-advertising.
6. Social Networks
Hit Larix d.d. uses the following social networks and manages the following websites:
o Casino Larix slot hall – fb.com/casinolarix
o Tavern & Pizzeria Bor – fb.com/gostilnabor
o Camp Špik – fb.com/campspik
Participating and posting on social networks is voluntary.
We kindly invite you to follow Hit Larix d.d. on social networks!
B. WHO CAN ACCESS PERSONAL DATA
Access to personal data is granted only to authorized employees and contractual processors, with whom the company concluded a data processing agreement in the scope and for purposes necessary to conduct work processes, providing company’s services and fulfilling rights and obligations from concluded contractual relationships.
The company’s employees and contractual employees are bound to respect provisions regulating data protection and Hit Larix d.d. general acts, as well as concluded data processing agreements. Customers’ personal data are the company’s trade secret.
CONTRACTUAL PROCESSORS OF PERSONAL DATA
In addition to Hit Larix d.d., personal data is being processed on behalf of the company and for it by contractual processors or contractual processors’ employees, who provide technical support for the company’s processing of personal data.
Data subjects’ personal data are being processed by:
• competent legal bodies and holders of public authorizations for implementing legal competences,
• contractual processors of Hit Larix d.d. (developers of computer applications, websites and information services and personnel tasked with maintaining them; developers and initiators of software solutions; processors, engaged by Hit Larix d.d. to provide services needed for the performance of contracts; printing workshops; insurance companies; courier services; points of sale managers; external marketers; intermediates; marketing, research and analytics companies; external marketing agencies and event organizers; representatives of Hit Larix d.d. for conducting and implementing contracts, including collection of debt and legal proceedings),
• other persons with legal grounds for acquiring and processing of personal data.
C. PERSONAL DATA STORAGE
The period for which the personal data will be stored varies according to the criteria for each category of personal data. Personal data is stored only as long as it is needed to achieve the purpose of processing for which it was collected or processed further or until the legally required storage period expires.
After the fulfilment of the purpose of processing or after the expiry of the storage period, personal data is deleted, destroyed, blocked or anonymised if they are not, on the basis of legislation regulating archival material and archives, classified as archival material or if the Data Protection law does not state otherwise for specific category of personal data.
D. DISCLOSURE OF YOUR PERSONAL DATA
Hit Larix d.d. guarantees that the received customers’ personal data and all other data processed in pursuance of their legal interests that override the interest of a data subject, will be protected against unauthorized disclosure and transfers of data to unauthorized third persons in accordance with applicable data protection legislation.
Per law enforcement agency’s request, in case of any abuse or breaches, personal data, e-mail addresses and IP-addresses of users can be submitted to the police and other competent bodies for a follow-up.
E. MEASURES USED TO PROTECT PERSONAL DATA
1. Protection of Premises
Premises, in which personal data carriers, hardware and software are located, are carefully protected with organizational and/or technical measures, which prevent unauthorized persons from accessing personal data.
2. Sending E-Mails
E-mail address provided by the data subject is used explicitly for sending requested information to the data subject.
We do not send unencrypted notices about our customers’ data via e-mail. If the content of your message is relevant to the contractual relationship, the message will be stored.
Before sending us an unprotected e-mail via your internet service provider, please note that its content might not be protected online against unauthorized reading, forgery, etc.
External service providers, who filter incoming e-mail or spam or malicious software in order to guarantee protection of Hit Larix d.d., may gain access to your electronic message.
3. Protection of Access
The data processing network of Hit Larix d.d. is protected against the outside world via state-of-the-art firewall. The company’s internal applications are accessible only by logging in with a username and password. In applications, user rights are limited to business use via access systems, in such a manner that personal data are accessible exclusively to those employees, who are authorized for working with personal data; we strive to limit the number of such employees to a minimum necessary number.
Hit Larix d.d. regularly checks if the systems are protected against attempts of unauthorized access.
F. PROVIDING ACCURATE, COMPLETE AND UP-TO-DATE DATA
HIT d.d. strives to ensure that the data subject’s personal data are accurate and up-to-date, which it may do in accordance with regulations and/or on the basis of a data subject’s consent. Complete and up-to-date data can only be used for purposes set forth in the applicable legislation and not for other purposes, insofar that you did not give consent for such use or such use is not permissible in accordance with legislation.
Notwithstanding the above, data subjects must strive to inform Hit Larix d.d. about the changes of personal data relevant to them and important for the performance of contract. We will rectify and amend data as soon as we are informed about such a change.
G. RIGHTS IN REGARD TO THE PROCESSING OF YOUR PERSONAL DATA
In this section, we are presenting you with your rights that you can exercise in regard to our processing of your personal data and ensuring its legal and transparent processing.
Below, we are presenting all the rights that individuals have regarding our processing of their personal data and regarding safeguarding their transparent processing in accordance with the law. Individuals can file a request regarding the rights described below in writing by filling out a short form available at the Casino Larix reception, or by sending the written request to the following address: Hit Larix d.d., Borovška cesta 99, 4280 Kranjska Gora or via email: email@example.com.
HIT Larix d.d. may, based on reasonable doubt regarding the individual’s identity submitting the request regarding the rights indicated below, request additional information necessary to confirm the identity of the individual data subject.
In case of ambiguous information regarding these rights, an individual may request additional explanation by contacting our firm or our data protection officer.
1. Right to Withdraw Consent
The data subject can withdraw their consent in regard to the Elite Player’s Club membership anytime.
The withdrawal of the consent does not affect the legitimacy of the processing on the basis of your prior consent.
2. Right to Access
A data subject can always access their personal data that we process in a simple manner and in reasonable time intervals free of charge, on the basis of a submitted written request.
Based on an individual’s request we confirm whether we process their personal data; if we do, we enable access to relevant personal data and provide the following information:
– the purpose of processing;
– the categories of personal data concerned;
– the recipients or categories of recipients of the personal data, if any, particularly recipients in a third country or international organisation;
– the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
– the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to such processing;
– the right to lodge a complaint with a supervisory authority;
– when personal data was not obtained from the relevant data subject, all available information regarding the source of personal data; and
– the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of EU GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
For additional copies or in cases of clearly unjustified or repetitive requests, we reserve the right to charge a reasonable fee for costs of administrative labor and materials.
3. Right to Rectification
Per data subject’s request, we rectify or amend any incorrect or old personal data that we process, without undue delay.
4. Right to Erasure
(i) which are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
(ii) which are being processed on the basis of a withdrawn consent and there are no other legal grounds for processing,
(iii) for which you objected to the processing and there are no overriding legitimate grounds for the processing, or those
(iv) which were processed unlawfully
will be erased without undue delay per your request.
5. Right to Restriction of Processing
Per your request, we restrict the processing of personal data, when:
(i) a data subject contests the accuracy of the personal data (for a period enabling the controller to verify the accuracy of the personal data),
(ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,
(iii) we no longer need the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims,
(iv) or a data subject filed an objection against data processing (pending the verification whether the legitimate grounds of the controller override those of the data subject).
When processing has been restricted, such personal data will, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims, to ensure rights of other natural or legal persons.
We will always notify the data subject before terminating any restrictions of processing.
6. Right to Data Portability
Per the data subject’s request, we will forward the personal data provided by the data subject to another controller, when processing is consensual or a contract and when it is technically feasible.
7. Right to Object
If a data subject’s personal data is being processed on the basis of our legitimate grounds or for the purposes of direct marketing, which includes profiling, then the data subject can object to such processing.
8. Right to File a Complaint with the Information Commissioner
If we do not answer your request within 1 month or if we deny your request, you can file a complaint, the resolution of which is the Information Commissioner’s responsibility.
A complaint due to a denial has to be submitted to the controller within 15 days from expiry of a 1-month period, or receipt of a negative answer. A customer can submit a request or a complaint using a special form, which is published on the Information Commissioner’s website.
H. EXERCISING OF RIGHTS IN REGARD TO DATA PROTECTION AND CONTACT DETAILS OF DATA PROTECTION OFFICER
Hit Larix d.d. guarantees data subjects’ exercising of their rights without undue delay and at the latest within 1 month from the receipt of the request, wherein the deadline for exercising of data subject’s rights can be extended for 2 additional months at most, taking into account the complexity and volume of requests. Should Hit Larix d.d. extend the deadline, it will inform the data subject about such extension and reasons for it within one month from receiving the request.
If the data subject’s request are clearly unjustified or excessive, especially due to their repetition, Hit Larix d.d. may:
– charge a reasonable fee for cost of labor and materials, wherein administrative costs of sending the information or message or implementation of the requested measure are considered or
– deny to act in accordance with the request.
I. CONTACT DETAILS OF THE DATA PROTECTION OFFICER
A data subject may, via a written request sent to the Data Protection Officer for Hit Larix d.d., request an access to, supplementation, rectification, blocking or restriction of processing or deletion of personal data, object to the processing of data that are being processed and request a transfer of data. The data subject may sent the request to:
Odvetniška Družba Ilić & Partnerji o.p.d.o.o., Davčna ulica 1, 1000 Ljubljana
J. RECOMMENDATIONS FOR DATA PROTECTION
We recommend that you also protect your privacy and personal data yourself.
Every individual is responsible for:
• the safety of the username and password, which should be kept appropriately and only be disclosed only to persons who they completely trust,
• the safety of their e-mail address,
• and appropriate software protection (anti-virus) of their computer or other devices for accessing different content.
K. CHANGES TO THE DATA PROTECTION POLICY
Hit Larix d.d. reserves the right to update the Data Protection Policy in accordance with the changes of services, on the basis of users’ feedback and due to legislation changes from time to time. Date of last update will be specified at the end of the Data Protection Policy.
In case of significant changes or plans for changes in regard to how Hit Larix d.d. uses personal data, the company will, before implementing any changes, notify users on its website or via e-mail (if a consent for such manner of informing is given).
We recommend that users regularly check this Policy, in order to gain information about how Hit Larix d.d. protects their privacy.
L. ADDITIONAL INFORMATION AND CONTROLLER’S CONTACT DETAILS
For additional information about processing of personal data or your suggestions for improving our services, you can contact us via e-mail address firstname.lastname@example.org or write to the address: Hit Larix d.d., Borovška cesta 99, 4280 Kranjska Gora.
This Data Protection Policy is used until its cancellation or potential update.
Kranjska Gora, on 25th May 2018