OPERATOR – RED SEVENS S.R.L. – with registered office in Mun. Oradea, Pta. Nucetului, no.7, Bl.A6, et.6, ap.609, Bihor county, number J5/3140/2017, Tax ID Code 38628674, ONJN license for the organization of slot-machine gambling L1183161H000830,
RED SEVENS S.R.L. – licensed organizer of gambling – as a data controller, attaches particular importance to the processing of personal data provided at the initiative of customers, suppliers, business partners and employees, or collected as a result of a legal obligation, in compliance with the legal principles laid down in the General Data Protection Regulation (Regulation 2016/679 or GDPR) with regard to processing operations carried out in the context of the activity carried out on the gambling market. The processing operations cover all processing carried out including in the Organiser’s gaming rooms.
- GDPR DEFINITIONS
GDPR (General Data Protection Regulation) is the new Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
GDPR applies to the processing of personal data wholly or partly by automated means (computer, laptop) as well as to the processing otherwise than by automated means of personal data (paper-based records) which form part of a data filing system or are intended to form part of a data filing system.
The GDPR will apply to all controllers based in the EU (European Union) that process personal data of data subjects, regardless of whether or not the processing takes place on EU territory. It will also apply to controllers outside the EU that process personal data to provide goods and services or to monitor the behaviour of data subjects residing in the EU.
Personal data – means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.
Special categories of personal data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership and the processing of genetic data, biometric data for the unique identification of a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person.
Controller – the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or national law, the controller or the specific criteria for its designation may be laid down in Union or national law.
Processor – means the natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling – any form of automatic processing of personal data intended to evaluate certain personal aspects relating to an individual or to analyse or predict the individual’s work performance, economic situation, location, health, personal preferences, reliability or behaviour.
Personal data breach – a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise processed. The controller has an obligation to report breaches of personal data security and cases where the breach could adversely affect the personal data or privacy of the data subject to the supervisory authorities.
Consent of the data subject – means any freely given, specific, informed and unambiguous expression of will by the data subject by which he or she accepts, by a statement or by an unambiguous action, that personal data may be processed.
- PRINCIPLES RELATING TO THE PROCESSING OF PERSONAL DATA
Any processing of personal data shall be carried out in accordance with the principles of data protection as laid down in Article 5 of the GDPR. Policies and procedures are designed to ensure compliance with the principles set out in the GDPR.
- Personal data is processed lawfully, fairly and transparently
Lawfulness – involves identifying a legal basis before starting a personal data processing operation. This identification is often referred to as ‘identifying the basis of processing’. The grounds set out in Article 6 of the GDPR and used are the following: legal obligation of the controller, contract concluded between the controller and the data subject, consent of the data subject, legitimate interest of the Controller
Fairness – entails the obligation to inform the controller about the data processing before the processing starts or as soon as possible after the processing starts. Information is mandatory regardless of whether the personal data were obtained directly from the data subjects or from other sources.
Transparency – Articles 12, 13 and 14 of the GDPR set out the rules for informing data subjects. The provisions are detailed and specific, emphasising that privacy notices must be easy to understand and accessible. The information is communicated to the data subject in an understandable form, using clear and plain language.
- Personal data are accurate and, where necessary, are updated by being completed or rectified without delay
Data stored by the data controller shall be reviewed and updated as necessary. Data shall not be retained unless it can reasonably be assumed to be accurate.
- staff are trained on the importance of collecting accurate data and keeping it accurate.
- The processing of accurate and up-to-date data is also the responsibility of the data subject. The completion of a registration form or application by a data subject shall include a statement that the data contained therein are correct at the time of submission.
- Employees, partner representatives and customers must notify the Operator of any changes to personal data to enable the record containing personal data to be updated accordingly.
- The Operator shall adopt appropriate procedures and policies to keep personal data accurate and up to date, taking into account the volume of data collected, the speed at which it may change and any other relevant factors.
- Personal data shall be kept in a form which permits identification of the data subject for only as long as necessary for processing. Personal data are processed in a way that ensures appropriate security
- Where personal data are retained beyond the date of processing, they may be pseudonymised to protect the identity of the data subject in the event of a data breach.
- PERSONAL DATA PROCESSED
In general, we collect your personal data directly from you, so you have control over the type of information you give us. By way of example, we receive information from you as follows: when you create an account or for the purpose of obtaining a REDSEVENS membership card, you provide us with: your e-mail address, telephone number, first and last name, your national tax number (for tax purposes in accordance with the tax code and the specific legislation applicable in the field of gambling).
Also, as a player/winner in our rooms you provide us with your identification data – first name, surname, personal identification number, IC data, bank account data – if applicable, in order to grant the winnings / prizes from advertising campaigns and in order to calculate, withhold, pay the tax on the income obtained from gambling in Romania, according to the tax code and applicable rules.
Within the REDSEVENS gaming halls personal data belonging to the customers who participate in the game / advertising campaigns or who participate in the REDSEVENS card holder program are processed. Thus, in order to release winnings, personal data of customers are processed, if applicable, under the legal obligation provided for in the Tax Code and rules , as well as under the provisions of Law 129/2019 for preventing and combating money laundering and terrorist financing.
With regard to participating customers to whom a customer card has been issued (whose purpose is to ensure a personalised player experience as well as to allow access to the various benefits offered by REDSEVENS – to which the data provided for in the card issue form are associated ) – the processing is based on the consent of the data subjects, in particular with regard to marketing communications.
We do not collect or otherwise process sensitive data included by the General Data Protection Regulation in special categories of personal data other than those mentioned in this Policy. We also do not want to collect or process data of minors who have not reached the age of 18.
Data collection can be done in several ways, by means of paper forms or forms, filled in by you or at your request by our employees or other members of our specialised staff (such as hostesses), or electronically – account access.
- PURPOSES AND GROUNDS OF PROCESSING
- For the provision of our services for your benefit, as appropriate :
– To award prizes and winnings, as appropriate
– To create and manage your account on the REDSEVENS website
– Issuing your REDSEVENS loyalty card
– Providing support services, including providing answers to your questions about our services,
The processing of your data for these purposes is in most cases necessary for the performance of the relationship between us and you. Also, certain processing ancillary to these purposes is required by applicable law, including gaming, tax and accounting legislation.
- To improve our services
We base these activities on our legitimate interest to carry out activities , always taking care that your fundamental rights and freedoms are not affected.
- For direct marketing purposes
We want to keep you up to date with the best offers for the products/services you are interested in. To this end, we can send you any type of message (such as: e-mail/SMS/telephone/mobile push/webpush/etc.) containing general and thematic information, information on similar or complementary products to those you have purchased, information on offers or promotions. We always ensure that these processing operations are carried out in compliance with your rights and freedoms and that decisions taken on the basis of them do not have legal effects on you and do not affect you similarly to a significant extent.
In most cases, we base our marketing communications on your prior consent. You may change your mind and withdraw your consent at any time by:
– Changing settings in your customer account
– By accessing the unsubscribe link displayed within the messages you receive from us; or by
– Contacting us using the contact details described above.
In certain situations, we may base our marketing activities on our legitimate interest to promote and develop ourselves in the sense that we take all necessary steps to ensure that your fundamental rights and freedoms are not affected. However, you may at any time request us, by the means described above, to stop processing your personal data for marketing purposes and we will comply with your request.
- In order to defend our legitimate interests, we take measures that may include :
– Measures to protect the website and users from cyber attacks:
– Measures to prevent and detect fraud attempts, including the transmission of information to the competent public authorities;
– Measures to manage various other risks.
The general basis for these types of processing is our legitimate interest in safeguarding our business, it being understood that we ensure that any measures we take guarantee a balance between our interests and your fundamental rights and freedoms.
Also, in certain cases we base our processing on legal provisions such as the obligation to ensure the security of goods and values provided for by the applicable legislation in this matter or in order to comply with the applicable legislation and rules in the field of prevention of money laundering ( Law 129/2019 and rules ) or in order to declare the income obtained by individuals from prizes and gambling ( tax and tax procedure code – Oug 77/2009 and HG no. 111/2016 ) .
When you register for an event (bonuses, contests, promotional activities, advertising campaigns and others), we will use the personal data you have voluntarily submitted to us to provide you with the benefits that normally accompany such registration: you will be able to participate in the event, you will be nominated as a winner, you will be contacted for your prize, you will be eligible for prizes, as appropriate.
When you contact us voluntarily, we will use your personal data to answer your questions, respond to your comments and requests, provide guidance and clarification, offer assistance and support.
The placement of certain cookies on your computer, called essential cookies, is necessary in order to display your website. These cookies fall into the category of essential cookies which are necessary for our website to function and therefore cannot be turned off.
If, and only when, you agree to participate in a survey, we will use your personal data to send you our surveys, which are usually carried out to find out our customers’ opinions about our products and services and to improve their experience with us, but also to obtain confirmation of market preferences, wishes, expectations and therefore to be able to offer you better products and services.
If, and only when, you agree to your personal data being used for advertising purposes, we will use this data for this purpose in the form agreed with you
By signing up for our direct marketing communications services, you are expressly consenting to receive messages, phone calls or promotional content from the Personal Data Controller via the email address and phone number or other means of contact you have provided to us.
By doing so, you allow us to contact you and send you promotional content or messages via SMS, email, mail, direct text messages, instant messages, marketing phone calls and other types of communications. If at any time you wish to stop receiving these calls, messages, notifications or promotional information, you may notify us or follow the “unsubscribe” or STOP instructions contained in the promotional messages you receive. As a general rule, in cases where you withdraw your consent, the Operator(s) will no longer allow the processing of your data and will take appropriate steps to delete any records of your personal data. However, if the processing is strictly necessary and the processing could be based on other grounds: legal obligations/legitimate interest, contract, vital interest, public interest provided for by the applicable legal provisions, the Controller will still proceed with the processing in question while respecting your rights.
Based on our legal obligations, we will process your personal data in the following situations:
To strengthen our data security and our ability to prevent fraud.
To comply with the obligations imposed by the legal framework applicable to the gambling industry.
To meet our tax obligations under the Tax Code and other applicable tax laws.
To pursue our legitimate interests, we will process your personal data as follows:
Based on our interest in improving our products and services – we will process your personal data for statistical purposes to produce aggregated de-identified statistical data, which we will use to improve our products and services.
Based on our legitimate interest to consolidate, expand or streamline our business – we will process your personal data in the event of a reorganisation or merger or acquisition by another company or in the event of a transfer of our business.
Based on our legitimate interest to protect, secure or prevent loss/damage to our rights – we will process your personal data in the context of filing complaints or responding to complaints filed against us.
You can decide at any time not to provide us with the requested personal data. However, if you refuse to share your personal data with us if and when requested, we may not be able to fulfil our contractual obligations where the collection and processing of that data is a legal obligation for us (for example, if you refuse to provide us with your personal number, we may not be able to grant you your winnings). You may also be ineligible to participate in certain activities or events if you do not provide us with the minimum information required (for example, if you refuse to share your contact details with us, you may not be able to participate in a promotional activity as we would not be able to contact you to award your winnings).
Your refusal to share your personal data with us in order to benefit from certain services may also limit the services and special offers we can offer you. For example, if you do not consent to receive our newsletter, you will not be able to receive any of our newsletters. We will not process your personal data if you just want to visit our website and learn more about our services and products.
- Duration of retention of your personal data
The criteria used to determine the duration of the processing of personal data belonging to customers, employees or legal representatives of business partners will take into account the fact that the processing is necessary for the performance of the contractual relationship, and at the end of the contractual relationship, will take into account the legal obligations in the field of gambling, in fiscal matters established for the Operator.
You may at any time ask us to delete certain information or to close your REDSEVENS account / card and we will comply with these requests, subject to the retention of certain information even afterwards, in situations where the applicable gambling, accounting, tax, etc. legislation or our legitimate interests so require.
In view of the legal reporting obligations established for REDSEVENS as a gambling operator, for the fulfilment of these obligations, REDSEVENS may transmit personal data belonging to data subjects to the administrative authorities with attributions in the field of labour relations, in the field of gambling or in the field of preventing and combating money laundering.
In addition, in order to ensure quality services, the Operator may contract processors, within the meaning of Article 28 of the GDPR, to carry out processing operations, such as electronic communications for marketing purposes, loyalty program management, document archiving or data storage.
There may be situations where the Controller processes data jointly with other controllers, in which case the parties are qualified by Article 26 of the GDPR as joint controllers. Such situations arise in particular with regard to the buttons present on the www.redsevens.ro page leading to the Facebook/Instagram page or to the Youtube channel . You should also be aware that the processing of your data by Facebook/Instagram/Youtube is subject to the processing policies of these operators.
Where appropriate, we may transmit or provide access to certain of your personal data to the following categories of recipients:
– to companies within the same group of companies as REDSEVENS/associates
– REDSEVENS partners
– IT service providers
– payment/banking service providers;
– marketing service providers
– legal/accounting/audit service providers;
– other companies with whom we can develop joint projects in the field of gambling
In these situations we take the necessary measures in accordance with the legal provisions on data protection and confidentiality of information, based on contracts and/or agreements concluded with third parties.
If we have a legal obligation or if it is necessary to protect a legitimate interest, we may also disclose certain personal data to public authorities – ONJN / ANAF /IPJ / ONPCSB ETC
We currently store and process your personal data on the territory of Romania.
However, we may transfer some of your personal data to entities located in the European Union or outside the European Union. We will always take steps to ensure that any international transfer of personal data is carefully managed in order to protect your rights and interests. Transfers to service providers and other third parties will always be protected by contractual commitments and, where appropriate, other safeguards such as standard contractual clauses issued by the European Commission.
- SECURITY OF PERSONAL DATA
We are committed to ensuring the security of personal data by implementing appropriate technical and organisational measures.
Despite the measures taken to protect your personal data, please be aware that the transmission of information over the Internet in general, or via other public networks, is not completely secure and there is a risk that data may be seen and used by unauthorised third parties. We cannot be responsible for such vulnerabilities of systems not under our control.
- PROCESSING BY VIDEO MEANS
The operator is responsible for ensuring compliance with the principles on the processing of personal data including in the context of processing carried out by means of video devices in the gaming rooms belonging to REDSEVENS.
The operator processes your personal data, i.e. your image, by means of video systems for the purpose of monitoring the access of persons to the premises or workplaces where it carries out its activities, ensuring the security of the company’s premises and assets, as well as the safety of persons in the aforementioned premises. The video surveillance system is used to ensure safety and security.
The surveillance system allows real-time monitoring and post-event viewing as well as video recording, display and transmission to various designated users of the video surveillance system. You should be aware that processing operations on your data occur only to the extent that you are within the video surveillance perimeter, and refusal to provide such data is equivalent to restricting access to the company’s premises.
Grounds for processing. The processing of personal data by means of video surveillance devices, the installation and the use of the equipment and components of the video surveillance system from a technical point of view is carried out in accordance with the relevant legal provisions, i.e. the provisions of Law no. 333/2003 on the protection of objectives, goods, values and persons and the methodological rules for the application of this Law, approved by Government Decision no. 301/2012.
From the point of view of the provisions of Article 6 para. (1) lit. c and f of the GDPR, the basis of the processing is the legal obligation established for the controller by the aforementioned legal provisions, the legitimate interest of the controller to prevent conduct that has been found to be harmful to him or to other persons present in the gaming room or at the company’s premises. The extracted images may also be used for the exercise of a right, if the images show the person concerned committing an act punishable by criminal law or an offence punishable by law.
The image of the person who is captured in the perimeter captured by the surveillance cameras. Data subjects may be: customers of the operator or employees of the operator. Occasionally, images may also capture persons who are present within the range of the surveillance cameras or employees of contractual partners.
Duration of processing. The images collected by the surveillance cameras, are stored for an average of 20 days, or according to the time limits laid down in the legislation in case of incidents.
- PROCESSING OF PERSONAL DATA RELATING TO MINORS
- YOUR RIGHTS. UNDER THE GDPR REGULATION ARE AS FOLLOWS:
- The right to be informed about the processing of your data
- Right of access to data You have the right to obtain confirmation from us as to whether or not personal data relating to you are being processed and, if so, access to that data and to the information referred to in Article 15(1) of the GDPR. (1) of the GDPR.
- Right to rectify inaccurate or incomplete data You have the right to obtain from us, without undue delay, the rectification of inaccurate personal data concerning you.
- Right to erasure (“right to be forgotten”) In the situations set out in Article 17 of the GDPR, you have the right to request and obtain the erasure of personal data.
- Right to restriction of processing In the cases set out in Article 18 of the GDPR, you have the right to request and obtain restriction of processing.
- The right to transfer data we hold about you to another controller (“right to portability”) In the cases set out in Article 20 of the GDPR, you have the right to request and obtain data portability.
- The right to object to data processing In the cases set out in Article 21 GDPR, you have the right to object to data processing.
- The right not to be subject to a decision based solely on automated processing, including profiling with legal or similar significant effects on you.
- The right to take legal action to defend your rights and interests.
- The right to lodge a complaint with a Supervisory Authority
- The right to withdraw consent. You may withdraw your consent to direct marketing at any time by following the unsubscribe instructions in each email/sms or other electronic message or by sending a request to this effect to the Operator’s address mentioned below.
Each application received will be analysed to decide whether it is justified or not. If the request is unfounded, we will reject it, but we will inform you of the reasons for the rejection and of your rights to lodge a complaint with the Supervisory Authority and to take legal action.
- We will try to respond to your request within one month. However, the deadline may be extended depending on various aspects, such as the complexity of the request, the large number of requests received or the impossibility to identify you in a timely manner.
- If, despite our best efforts, we are unable to identify you and you do not provide us with additional information to identify you, we are not obliged to act on your request.
- CONTACT DATE
The operator provides the possibility for data subjects to submit any request/complaint via e-mail to ……………………….. or in writing to: RED SEVENS S.R.L. – with registered office in Mun. Oradea, Pta. Nucetului, nr.7, Bl.A6, et.6, ap.609, Jud. Bihor
In Romania, the contact details of the data protection supervisory authority are as follows: National Supervisory Authority for Personal Data Processing
B-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, postal code 010336, Bucharest, Romania
Telephone: +40.318.059.211 or +40.318.059.212;
Without prejudice to your right to contact the supervisory authority at any time, please contact us in advance, and we promise to make every effort to resolve any issues amicably.
This Policy may be published for information purposes in several languages. The English version will take precedence in the event of any discrepancies.
Version 1.0 – 2022