This Privacy Notice contains general information about how the Company processes personal data in the course of its core business, the rights of data subjects and how to contact the Company regarding any issues related to the processing of personal data.
Privacy Policy terms and conditions and changes
The terms and conditions of data processing are available at any Fenix Casino gaming room or at J.Vilmsi 59, Tallinn. The company reserves the right to change its privacy policy if necessary.
Protecting the privacy of our customers, staff and guests is very important to us. That’s why we’ve created a privacy policy that explains how we collect, use, disclose, transfer and store personal information. When processing personal data, we comply with the laws in force in Estonia, including the General Data Protection Regulation (GDPR) of the European Union. The company aims to be a trustworthy partner for the data subject in the processing of personal data and to respect the data subject’s rights. In order to provide the Service, the company may share personal data with other Novomatic Group companies.
Personal data are data through which an individual can be identified. The controller of the personal data is Novoloto OÜ (hereinafter referred to as the Company), J.Vilmsi 59, 10115 Tallinn, Estonia, +3726116161, novoloto@novoloto.ee . The Company processes personal data for the purpose of providing a service to a gambling operator, on the basis of consent or law, in order to fulfil the objectives of the organisation and to provide the best service. The lawful grounds for processing personal data include, but are not limited to, a legitimate interest or a Contract between an individual and the Company.
When collecting personal data from an individual, we limit ourselves to the minimum necessary. The natural person whose data we process has the right at any time to:
- to request access to personal data concerning a person;
- ask for the data to be corrected;
- request the deletion of the data;
- restrict the processing of personal data;
- object to the processing of personal data;
- request the transfer of personal data;
- request that no decision based on automated processing be taken concerning a person.
- claim compensation for the damage he has suffered.
- withdrawal of consent.
In the event that a Fenix Casino customer no longer wishes to receive communications from the Company, he/she may withdraw his/her consent at any time at the Fenix Casino gaming location. The contact person to whom to submit requests and requests related to the processing of personal data, including requests for updating, modification or deletion of personal data, or to stop the processing of personal data, etc., is the Data Protection Officer by sending an email to compliance@novoloto.ee. Novoloto OÜ, reg. no. 10159983, address J.Vilmsi 59, Tallinn, Harjumaa 10115. Phone number. The information shall be provided to the person within one month at the latest, taking into account the circumstances of the specific processing, unless the person already has the information, the provision of the information is impossible or would involve a disproportionate effort, access to or disclosure of the personal data is required by law or the personal data are covered by an obligation of secrecy. If the person is not satisfied with the reply he or she has received, he or she has the right to contact the Data Protection Supervisor at 627 4135, info@aki.ee.
Procedure for processing personal data of NOVOLOTO OÜ EMPLOYEES
1. GENERAL PRINCIPLES AND DEFINITIONS
1.1. This Procedure for the Processing of Personal Data, Including Sensitive Personal Data (hereinafter referred to as the Procedure) (hereinafter referred to as the Procedure) sets out the principles of the processing of personal data by Novoloto OÜ (hereinafter referred to as the Employer), the rights of the data subject with regard to the processing of personal data and security measures for the protection of personal data.
1.2. When processing personal data, the employer is guided by the Personal Data Protection Act and the following principles:
1.2.1. Principle of lawfulness – personal data are collected only fairly and lawfully;
1.2.2. Purpose limitation – personal data are collected only for specified and legitimate purposes and are not processed in a way incompatible with the purposes for which they are processed;
1.2.3. Principle of minimality – personal data are collected only to the extent necessary to achieve the purposes for which they are collected;
1.2.4. Restriction of use principle – personal data are used for other purposes only with the consent of the data subject or with the authorisation of the competent body;
1.2.5. the data quality principle – personal data must be up-to-date, complete and necessary for the purposes for which they are processed;
1.2.6. security principle – security measures are implemented to protect personal data against accidental or unauthorised processing, disclosure or destruction;
1.2.7. the principle of individual participation – the data subject is informed of the data collected about him or her, is given access to data relating to him or her and has the right to request the rectification of inaccurate or misleading data.
1.3. Personal data are any data relating to an identified or identifiable natural person, regardless of the form or format in which the data are held.
1.4. Sensitive personal data are:
1.4.1. information on medical condition or disability;
1.4.2. information on the commission or victimisation of an offence before a public hearing or the decision on the offence or the conclusion of the proceedings.
2. THE GROUNDS FOR PROCESSING AND THE CATEGORIES OF DATA PROCESSED
2.1. The Employer will process personal data only for legitimate purposes and only to the extent necessary for the performance of the activities and duties referred to in this Clause.
2.2. As a result of the conclusion and performance of an employment contract, the employer collects, stores and processes the employee’s personal data. The grounds for processing personal data are:
2.2.1.Employer initiative:
2.2.1.1. Mandatory data for employment contracts – name, personal identification code, residential address, e-mail, telephone number, salary details and bank account number; criminal record query (first name, surname, personal identification code), health certificate for infectious diseases (first name, surname, personal identification code, health status);
2.2.1.2. to ensure the performance of the job duties and to be admitted to work (e.g. power of attorney, access, employment certificate) (first name and surname, personal identification number, contact details, photo);
2.2.1.3. for payroll, the development of incentive and reward schemes and other human resources management purposes (first and last name, seniority, salary data).
2.2.1.4. Criminal record query (first name, surname, personal identification number);
2.2.1.5. medical decisions (first name, surname, personal identification number, medical condition);
2.2.1.6. Employee to give a child a Christmas present (child’s first and last name, date of birth);
2.2.1.7. to carry out supervision and control, internal checks of employees’ payroll data, meetings, training, termination of employment contracts.
2.2.1.8. law (e.g. video recording, when accepting a gambling restriction application from a customer, when declaring wages, when referring to an occupational health physician, etc.), other legislation and service contracts with the Employer;
2.2.1.9. to obtain the relevant information from the employee to order the appropriate size of workwear to fulfil the contract.
2.2.2. The person’s own initiative (including an application, statement, registration form or its electronic form, a memorandum, a request for information) or any other approach to the Employer:
2.2.2.1. data provided by the job applicant for the purpose of concluding the employment contract (first name and surname, contact details; CV, cover letter; date of birth and/or personal identification number; residential address; proof of education; proof of language proficiency; details of identity document; criminal record); name and contact details of the person indicated by the applicant as a reference;
2.2.2.2. the data needed to enable the employee to exercise rights relating to personal and family responsibilities (e.g. different types of leave) (first name and surname, child’s first name and surname and personal identification number, information on the person’s state of health) – The employer will ask for this information when the employee requests to exercise these rights.
For normal correspondence and internal company documents, etc., the use of a personal identification number is generally not necessary. In order to reply to an individual’s request for clarification or to authorise leave, the name of the employee and, where appropriate, the attached (work) address or post will usually suffice.
2.3. The employer has appointed a person responsible for the protection of personal data, whose name and contact details have been communicated to the Data Protection Inspectorate. The person responsible is independent of the controller in his or her activities and controls that the controller processes personal data in accordance with this Act and other legislation. The person responsible for the protection of personal data shall keep a register of the personal data processor’s data processing.
3. PERSONS WHOSE DATA ARE PROCESSED
3.1. As an employer, processes personal data of persons employed under the Employment Contracts Act and the Law of Obligations Act.
4. ACCESS TO DATA BY EMPLOYEES OF THE EMPLOYER
4.1 The employer shall provide the employee with access to the data necessary for the performance of the employee’s duties as defined in the job description and shall define the roles of each employee in the processing of data in the database/information system in accordance with the access rights.
4.2 The technical description of the data processing and the requirements for ensuring security (including changing passwords for computers, use and storage of computers outside the premises, etc.) are described in the IT security guidelines.
4.3. Employers process employees’ personal data in particular in connection with the conclusion and performance of an employment contract. In addition, personal data may be processed (including transferred to companies belonging to the same group of companies as the employer, both in Estonia and abroad) for the central management of employees’ personal data, the monitoring of employees’ work discipline, the planning of training, payroll, the development of motivation and incentive schemes and other human resources management purposes. Personal data are processed both electronically and on paper.
5. THIRD PARTIES TO WHOM THE TRANSFER AND PROCESSING OF PERSONAL DATA MAY BE DISCLOSED.
5.1. The Employer discloses and/or transfers personal data to third parties, including third parties located abroad who have the right to do so by law, regulation or international agreement and, where applicable, to the following:
5.1.1. To the extent necessary for the provision of the service concerned, to the employer or to service providers of the Novomatic group of companies, such as technical or IT support providers for databases, etc. (including payment, communication, legal and IT service providers);
5.1.2. Employers and professional advisors such as lawyers, auditors, accountants, consultants, etc. to companies in the Novomatic group;
5.1.3. to the tax and customs authorities, the police and other public authorities to the extent reasonably required by the employee’s employment relationship and the employer’s legal obligations.
5.1.4. to the controller of the database;
5.2. The employer always records the transfer of personal data to third parties.
5.3. Regardless of where personal data is transferred or accessed, the employer ensures the protection of personal data in accordance with the requirements set out in the legislation on the processing of personal data.
5.4. The employer hereby confirms that the personal data are not available for public use.
5.5. The Employer hereby also confirms that personal data will be processed in accordance with the principles of lawfulness, purpose limitation, minimality, data quality, security and individual participation.
6. EMPLOYEE RIGHTS AND ACCESS TO DATA
6.1. The employee is right:
6.1.1. receive information about personal data concerning him or her
6.1.1.1. personal data about him or her;
6.1.1.2. the purposes for which the personal data are processed;
6.1.1.3. the composition and sources of personal data;
6.1.1.4. third parties or categories of third parties to whom the transfer of personal data is permitted;
6.1.1.5. third parties to whom his or her personal data have been disclosed;
6.1.2. ask for the data to be corrected;
6.1.3. request the deletion of the data;
6.1.4. restrict the processing of personal data;
6.1.5. object to the processing of personal data;
6.1.6. request the transfer of personal data;
6.1.7. that no decision based on automated processing is taken in respect of the worker.
6.1.8. withdrawal of consent;
6.1.9. lodge a complaint with the data protection supervisory authority.
6.2. Where possible, personal data shall be disclosed in the manner requested by the Employee.
6.3. The employer is obliged to state the reasons for refusing to disclose the data or information. The Employer shall inform the Employer of the decision to refuse to provide the data or information within five working days of the date of receipt of the request.
6.4. An employer has the right to refuse to provide information to a data subject where it may:
6.4.1. harm the rights and freedoms of another person;
6.4.2. prevent a crime from being prevented or a criminal caught;
6.4.3. make it more difficult to establish the truth in criminal proceedings.
6.6. p. 6.1. to exercise the right, the Employee shall submit a written request to the Employer’s Data Protection Officer.
6.7. In order to ensure that the employer has correct and accurate personal data at all times, the employee is obliged to inform the employer immediately of any changes to his or her personal data.
7. RETENTION AND EMPLOYEE CONSENT
7.1. Upon termination of the employment relationship, all data relating to the Employee that is not necessary will be deleted or closed. Some documents may need to be kept without the employee’s consent for a statutory period or until the expiry of the limitation period for the relevant employment claims.
7.2. Examples of these documents and limitation periods are:
7.2.1. written employment contract and medical decisions – 10 years;
7.2.2. results of occupational safety and health risk assessment and accident at work and occupational illness investigation – 55 years;
7.2.3. accounting records – 7 years;
7.2.4. limitation period for pay claims – 3 years;
7.2.5. limitation period for claims for recognition of rights arising from the employment relationship and for the defence of infringed rights – 4 months;
7.2.6. time limit for contesting the termination of an employment contract – 30 calendar days;
7.2.7. the employer’s claim against the employee for back pay and other financial claims arising from the employment relationship – 12 months.
7.2.8. Other documents relating to the employment relationship may be kept after the end of the employment relationship with the consent of the employee. Withdrawal of consent has no retroactive effect. However, further processing will cease.
7.2.9. As a general rule, it is not possible to require the cessation of processing of personal data under the Act.
7.4. The employee’s consent does not need to be obtained if the employee’s personal data are processed in the following cases:
7.4.1. The personal data of the employee is processed to the extent and under the conditions provided for in the employment contract for the performance of the employment contract.
7.4.2. The obligation to process personal data arises by law.
7.4.3. The personal data of the employee will be transferred to the institution that needs the data to carry out its legal tasks.
7.4.5. Personal data of the employee that the employee has disclosed is processed.
7.4.6. Personal data of the Employee that has been disclosed by law is processed.
7.4.7. Surveillance devices are used to protect people and property.
7.4.8. The processing of personal data is necessary in an exceptional situation, for the protection of the life or health (but not the property!) of the employee or another person, and it is not possible to obtain the employee’s consent.
8. PROCESSOR AND ITS OBLIGATIONS
8.1. Employees of the employer who process personal data are obliged to:
8.1.1. process personal data for the purposes and under the conditions and in accordance with the instructions set out in this Procedure and/or other Employer procedures relating to the processing of personal data;
8.1.2. keep personal data disclosed to him or her in the course of his or her duties confidential, even after the performance of his or her duties in relation to the processing or the termination of the employment relationship;
8.1.3. if necessary, participate in training on personal data protection offered by the Employer;
8.1.4. be familiar with and comply with the law (including the Personal Data Protection Act) and the information on data processing published on the website of the Data Protection Inspectorate.
8.2. The employer undertakes to: delete or block without undue delay any personal data that are not necessary for the purposes for which they were collected, unless otherwise provided by law;
8.2.1. ensure that personal data is accurate and, where necessary for the purposes for which it is collected, timely;
8.2.2. to block incomplete and inaccurate personal data and to take the necessary measures to ensure that they are completed and corrected without delay;
8.2.3. block personal data the accuracy of which is contested until the accuracy of the data is verified or the accuracy of the data is established;
8.2.4. in the event of rectification of personal data, promptly inform the third parties from whom or to whom the personal data were obtained or disclosed, where technically feasible and where this does not involve disproportionate costs.
9. SECURITY MEASURES FOR THE PROTECTION OF PERSONAL DATA
9.1. The security measures implemented to protect personal data aim to ensure that:
9.1.1. data integrity, i.e. to protect data against accidental or intentional unauthorised alteration;
9.1.2. data portability, i.e. to protect data against accidental or intentional destruction and against prevention of unauthorised access by a legitimate person;
9.1.3. data confidentiality, i.e. to protect data against unauthorised processing.
9.2. The employer’s security requirements are regulated in the Novoloto OÜ Security Policy.
9.3. The personal data processed by the employer are in paper form or in digital form on storage media and servers, which are accessed using unique user IDs and passwords. The principles for the organisation of document management are set out in Novoloto OÜ’s administrative procedures and the list of documents.
9.4. Paper documents or removable media containing sensitive personal data are stored in lockable cabinets or safes.
9.5. The data that is added to the institution’s document management systems is restricted to a designated group of persons against unauthorised processing. The document management systems shall have an audit trail function to identify, where necessary, who modified or viewed what personal data, when and by whom.
9.6. Sensitive personal data that are not registered or added to the document management system are transmitted to authorised persons for the performance of their tasks.
9.8. Personal data processed in other databases are protected by access rights agreed in job descriptions or contractual agreements, personal passwords.
9.9. Access to server disks is limited.
9.10. In the case of remote working, the processing of paper documents containing personal data is not allowed.
10. PROTECTION OF RIGHTS AND CONTACT DETAILS
10.1. The Employer is the controller of the employee’s personal data.
10.2. The contact person to whom a staff member has the right to submit requests and requests related to the processing of personal data, including requests for updating, amending or deleting personal data, or to stop the processing of personal data, etc., is the Data Protection Officer by sending an email to compliance@novoloto.ee .
Novoloto OÜ, reg. no. 10159983,
Legal address J. Vilmsi 59, Tallinn, Harjumaa 10115
Telephone number: +372 6116161
10.3. The information shall be provided to the employee within one month at the latest, taking into account the circumstances of the specific processing, unless:
- the person already has this information,
- it is impossible or would require disproportionate effort to provide the information.
- the receipt or disclosure of personal data is required by law; or
- personal data are covered by an obligation of secrecy.
If the Employee is not satisfied with the reply received, he or she has the right to contact the Data Protection Inspectorate at 627 4135, info@aki.ee.