Olympic Entertainment Group Business Partner Privacy Notice

1. General provisions


1.1. This notice explains the processing of personal data in the course of Olympic Entertainment Group’s KYB process.


1.2. The data controller is the legal entity with which your company contemplates entering into a business relationship with. Depending on the territory of the Group member or other contractual arrangements, the data controller can be the following legal entities separately or jointly:

1.2.1. Estonia 
•    Olympic Entertainment Group AS (14437516, Pronksi 19, 10124 Tallinn, Estonia)
•    OB Holding 1 OÜ (14975047, Pronksi 19, 10124 Tallinn, Estonia)


1.2.2. Latvia
•    Olympic Casino Latvia SIA (40003264397, Rēzeknes iela 5 E, Rīga, LV-1073, Latvia )
•    Olybet Latvia SIA (44103143645, Rēzeknes iela 5 E, Rīga, LV-1073, Latvia)


1.2.3. Lithuania 
•    Olympic Casino Group Baltija UAB (211733760, Konstitucijos pr. 12, Vilnius, Lithuania)


1.2.4. Slovakia
•    Olympic Casino Slovakia s.r.o. (35953080, Mostová 2, Bratislava – mestská čast‘ Staré Mesto)


1.2.5. Croatia
•    International Evona d.o.o. (080244589)
•    Modern Games d.o.o. (04022875, Stepinceva 36, Stobrec, Croatia)


1.2.6. Spain
•    Suertia Interactiva S.A.U (A65682676, Paseo Alcalde Sanchez Prados, 4-5, Entreplanta Pta 11 Ceuta 51001)
•    Olybet Services S.L (B13663653, Paseo de la Castellana 90 – 1º, Madrid, Spain


1.2.7. France
•    FP Operateur SAS (907 630 420, 48 Allées Forain-François Verdier 31000 Toulouse, France)


All referred to as the “Group”.


1.3. The contact details of the Group’s Data Protection Officer are DataProtectionOfficerEstonia@oc.eu, +3726671250, Pronksi 19, Tallinn 10124, Estonia.


1.4. The Group implements appropriate technical and organisational measures to protect personal data from unauthorised access, unlawful disclosure, accidental loss, alteration, destruction or other unlawful processing. We also require our cooperation partners, to whom we transfer personal data in accordance with this Privacy Notice, to implement the necessary organisational, physical and IT security measures. However, please note that even by using all technical and organisational measures to protect personal data, some risks, such as human error, cyber-attack, loss of electricity, software error or malicious actions of an individual, still remain. Upon discovering such breach, we shall take all reasonable steps to mitigate and minimise the risk to our data subjects.


1.5. Provisions on the processing of personal data may also be included in contracts between the and the Group. In such a case, in the event of a conflict of provisions, the provisions agreed upon in the contract shall apply.


1.6. The data subjects are all natural persons who are associated with the legal entities with whom the Group is contemplating into entering to a business relationship, such as, but not limited to members of the board, directors, shareholders, UBOs or authorised signatories.


2. Data subject rights in relation to the processing of their personal data


2.1. The data subject has the right to be informed on whether the Group processes their personal data and, if so, to receive a copy of the aforementioned data.


2.2. The data subject has the right to request the rectification of inaccurate personal data concerning them.


2.3. The data subject has the right to request the erasure of their personal data. The Group may delete data processed on the basis of consent or legitimate interest if the interests of the Group do not outweigh the interests of the data subject. The right to erasure does not apply to data that is processed for the fulfilment of a legal or contractual obligation, as long as the legal or contractual obligation is valid.


2.4. The data subject has the right to object to the processing of their personal data (especially on the basis of legitimate interest) and to restrict the processing of their personal data where justified.


2.5. The data subject has the right to receive their personal data, which they have submitted, in a structured and machine-readable format (if technically feasible) for transmission to other companies.


2.6. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.


2.7. The data subject has the right to lodge a complaint about the processing of personal data with the appropriate data protection supervisory authority in the relevant territory.


3. Processed personal data and their sources


3.1. The Group processes the following categories of personal data:


3.1.1. Identification data: first name, last name, personal identification code or date of birth, photo of the person.


3.1.2. AML and Verification data: type of the identity document, number of the document, date of issuance and validity, copy of the document, the list of sanctioned persons, country of residence, occupation or activity, country of residence, information on being a politically exposed person.


3.2. The Group does not process special categories of personal data related to the data subject (data concerning racial or ethnic origin, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, genetic data and biometric data), unless it is made manifestly public by the data subject.


3.3. The Group collects data related to the data subject from the data subject and any legal entity with which a Group member contemplates entering into a business relationship, publicly available sources, and third parties such as public authorities, national databases and Acuris Risk Intelligence LTD, an intermediary of a database concerning the verification of politically exposed persons and sanctions.


4. Legal basis and purposes


4.1. The legal bases for the processing of the data subject’s personal data is: performance of legal obligations.


4.2. For performance of legal obligations, we process: Identification, AML and Verification Data.


4.3. The purposes of processing the data subject’s personal data is to conduct the know-your-business procedure and therefore compliance with applicable laws relating to fight against money laundering, terrorist financing and international sanctions evasion, as well as applicable data protection legislation, such as the General Data Protection Regulation 679/2016/EU.


4.4. The data subject is obliged to provide such personal data. Failure to provide such data will prevent a Group member from fulfilling its legal obligations and will result the Group in either terminating or refusing to enter into the business relationship.


5. Transmission of personal data


5.1. In order to fulfil its legal obligations, the Group uses partners as personal data processors, who process data based on and to the extent of the instructions given by the Group.


5.2. When processing personal data, the Group will transfer your personal data to the following recipients: Group companies, public authorities, courts, banks, auditors and legal advisors, insurance companies, analytics service providers, archiving service providers, information transmission and communication service providers, PEP and sanction verification database intermediary, whistleblowing platform operators, database providers.


5.3. If the Group partner processing the data is located outside the European Economic Area, the safeguards to be used for the transmission of personal data are: an adequate level of data protection in the recipient country in accordance with the European Commission’s decision, or the use of standard contractual clauses for data protection developed by the European Commission in the cooperation agreement (click on the relevant link for more information).


5.4. Any Group member company listed in clause 1.2 may act as separate or as a joint controller of data subject data who processes the personal data for the purpose of conducting its own KYB process or in terms of resource management may share workforce across the Group members to conduct the KYB process for its own or on behalf or benefit of another Group member. The Group has entered into an agreement to this effect, which allows the parties to share the personal data to achieve the purposes contained in this Privacy Notice.


6. Time limits for the retention of personal data


To comply with applicable legislation, we must retain the collected personal data for at least 5 and in some jurisdictions, up to 10 years after the end of the business relationship, depending on the statutory requirements of the jurisdiction of each controller conducting the KYB process. If the personal data is not deleted, then the Group and/or a controller has assessed that it has a legitimate interest in retaining all or part of the data, in which case the relevant data is not retained for longer than needed to fulfil legitimate purposes.

1. General provisions

1.1 This notice explains the processing of customers’ personal data on the www.olybet.com website and the rights in relation to the processing of personal data.

1.2 The data controller is OB Holding 1 OÜ (hereinafter OLYBET), registry code 14975047, address Pronksi 19, Tallinn 10124, Estonia, +3726671250, estonia@oc.eu.

1.3 The contact details of the Data Protection Officer of OLYBET are the following: OlybetEstoniaDPO@olybet.com, +372 667 1250, Pronksi 19, Tallinn 10124.

1.4 OLYBET implements appropriate technical and organisational measures to protect personal data from unauthorised access, unlawful disclosure, accidental loss, alteration, destruction or other unlawful processing. We also require our cooperation partners, to whom we transfer personal data in accordance with this Privacy Notice, to implement the necessary organisational, physical and IT security measures. However, please note that even by using all technical and organisational measures to protect personal data, some risks, such as cyber-attack, loss of electricity, software error or malicious actions of an individual, still remain. Upon discovering such breach, we shall take all reasonable steps to mitigate and minimise the risk to our customers.

1.5 Provisions on the processing of personal data may also be included in contracts between the customer and OLYBET. In such a case, in the event of a conflict of provisions, the provisions agreed upon in the contract shall apply.

1.6 If OLYBET amends the notice on the processing of personal data, it will publish the updated version on its website www.olybetevents.com.

2. Customer rights in relation to the processing of their personal data

2.1 The customer has the right to be informed on whether OLYBET processes their personal data and, if so, to receive a copy of the aforementioned data.

2.2 The customer has the right to request the rectification of inaccurate personal data concerning them.

2.3 The customer has the right to withdraw their consent to the processing of personal data at any time (e.g. direct marketing consent), if the processing is based on consent. Withdrawal of consent does not affect the lawfulness of the processing which took place prior to the withdrawal.

2.4 The customer has the right to demand the erasure of their personal data. OLYBET may delete data processed on the basis of consent or legitimate interest, if OLYBET’s interests do not outweigh the interests of the customer. The right to erasure does not apply to data that is processed for the fulfilment of legal or contractual obligations, as long as the legal or contractual obligation is valid.

2.5 The customer has the right to object to the processing of their personal data (especially based on legitimate interest) and to restrict the processing of their personal data where justified.

2.6 The customer has the right to receive their personal data, which they have submitted on the basis of consent or to perform a contract, in a structured and machine-readable format (if technically feasible) for transmission to other companies.

2.7 The customer has the right to lodge a complaint about the processing of personal data with the Estonian Data Protection Inspectorate of by e-mail to info@aki.ee or in person at Tatari 39, Tallinn.

3. Processed personal data and their sources

3.1 OLYBET processes the following customer personal data.

    3.1.1 Marketing data: e-mail and/or mobile phone number, language of communication, product/service preference, consent to direct marketing, message content, date and time of message.

    3.1.2 Website visit data: IP address (including location based on IP address), Internet service provider, referrer URL, date, time, access token, session key, web browser type and version, operating system, amount and status of data transmitted, MAC address;

    3.1.3 Cookie data: OLYBET uses cookies on its websites to optimise the websites and their functions. Cookies may collect personal data. For more information, please consult OLYBET’s Cookie Policy.

3.2 OLYBET does not process special categories of personal data related to the customer (data concerning racial or ethnic origin, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data).

3.3 Depending on the purpose and nature of the processing, OLYBET collects personal data related to the customer from the customer, customer’s browser by cookies, the customer’s Internet service provider.

4. Legal basis and purposes of the processing of personal data

4.1 The legal bases for the processing of the customer’s personal data are: performance of contractual obligations, the data subject’s consent and OLYBET’s legitimate interest. The following is a list of processing activities and their legal basis:

    4.1.1 For performance of contract we process: website visit data, cookie data, marketing data;

    4.1.2 Based on consent, we process marketing data, cookie data;

    4.1.3 Based of legitimate interests, we process: website visit data, cookie data.

4.2 The purposes of processing the customer’s personal data are: sending customers newsletters, marketing OLYBET services/products, handling customer feedback, expanding the customer base, building customer loyalty and providing added value, managing OLYBET resources, improving the website.

4.3 In the case of data processing for the performance of legal or contractual obligations, the customer is obliged to provide such personal data. Failure to provide such data will prevent OLYBET from fulfilling its contractual or legal obligations and will limit the customer’s ability to use the services offered.

4.4 Where OLYBET processes personal data on the basis of legitimate interest, OLYBET has assessed that its legitimate interest in processing personal data for certain purposes outweighs the interests and rights of the customer.

5. Profiling and automated decision-making

5.1 Profiling is used in the following processes and is based on the following logic.

    5.1.1 Marketing the services/products offered by OlyBet Events based on analysis of website traffic and determining website usage.

5.2 Automatic decision making is not used on this website.

6. Transmission of personal data

6.1 In order to provide services and/or to fulfil its legal obligations, OLYBET uses partners as personal data processors, who process data based on and to the extent of the instructions given by OLYBET.

6.2 When processing personal data, OLYBET will transfer your personal data to the following recipients, which may be either data controllers or processors: its own group companies, public authorities, courts, banks, auditors and legal advisors, insurance companies, analytics service providers, fraud detection and prevention service providers, customer authentication service providers, survey service providers, archiving service providers, information transmission and communication service providers, streaming service intermediaries, whistleblowing platform operators.

6.3 If the OLYBET partner processing the data is located outside the European Union, the safeguards to be used for the transmission of personal data are: an adequate level of data protection in the recipient country in accordance with the European Commission’s decision, or the use of standard contractual clauses for data protection developed by the European Commission in the cooperation agreement (click on the relevant link for more information).

6.4 The joint controller of customer data is the Olympic Casino operator Olympic Entertainment Group AS (address Pronksi 19, Tallinn 10124, Estonia, +3726671250, estonia@oc.eu), which is part of the same group as OLYBET, with whom OLYBET processes customer data for the purposes of marketing services/products, determining the customer’s risk profile and managing OLYBET’s resources. The parties have entered into an agreement to this effect, which allows the parties to share the personal data to achieve the purposes contained in this Privacy Notice.

7. Time limits for the retention of personal data

7.1 The personal data of a customer is retained until the purposes of the processing have been fulfilled or until the obligations arising from the legislation have been fulfilled.

7.2 Website visit data is retained in accordance with the retention times stated in the Cookie Policy. This depends on different types of cookies  that are used.

7.3 Personal data collected based on customer’s consent, such as Marketing Data is retained until the customer withdraws said consent.

7.4 Personal data collected based on legitimate interests is retained as long as necessary for the purposes they were collected.