Privacy Notice of the Processing of Personal Data of OlyBet Customers
Valid from: 09.03.2023
1. General provisions
1.1. This notification explains the processing of customers’ personal data in the OlyBet gaming environment on the websites www.olybet.ee and www.olybet.eu and the rights of customers in relation to the processing of personal data.
1.2. The data controller is OB Holding 1 OÜ (hereinafter OLYBET), registry code 14975047, address Pronksi 19, Tallinn 10124, Estonia, +3726671250, [email protected].
1.3. The contact details of the Data Protection Officer of OLYBET are the following: [email protected], +372 667 1250, Pronksi 19, Tallinn 10124.
1.4. OLYBET implements appropriate technical and organisational measures to protect personal data from unauthorised access, unlawful disclosure, accidental loss, alteration, destruction or other unlawful processing. We also require our cooperation partners, to whom we transfer personal data in accordance with this Privacy Notice, to implement the necessary organisational, physical and IT security measures. However, please note that even by using all technical and organisational measures to protect personal data, some risks, such as cyber-attack, loss of electricity, software error or malicious actions of an individual, still remain. Upon discovering such breach, we shall take all reasonable steps to mitigate and minimise the risk to our customers.
1.5. Provisions on the processing of personal data may also be included in contracts between the customer and OLYBET. In such a case, in the event of a conflict of provisions, the provisions agreed upon in the contract shall apply.
2. Customer rights in relation to the processing of their personal data
2.1. The customer has the right to be informed on whether OLYBET processes their personal data and, if so, to receive a copy of the aforementioned data.
2.2. The customer has the right to request the rectification of inaccurate personal data concerning them.
2.3. The customer has the right to withdraw their consent to the processing of personal data at any time (e.g. direct marketing consent), if the processing is based on consent. Withdrawal of consent does not affect the lawfulness of the processing which took place prior to the withdrawal.
2.4. The customer has the right to demand the erasure of their personal data. OLYBET may delete data processed on the basis of consent or legitimate interest, if OLYBET’s interests do not outweigh the interests of the customer. The right to erasure does not apply to data that is processed for the fulfilment of statutory or contractual obligations, as long as the statutory or contractual obligation is valid.
2.5. The customer has the right to object to the processing of their personal data (especially based on legitimate interest) and to restrict the processing of their personal data where justified.
2.6. The customer has the right to receive their personal data, which they have submitted on the basis of consent or to perform a contract, in a structured and machine-readable format (if technically feasible) for transmission to other companies.
2.7. The customer has the right to lodge a complaint about the processing of personal data with the Estonian Data Protection Inspectorate of by e-mail to [email protected] or in person at Tatari 39, Tallinn.
3. Processed personal data and their sources
3.1. OLYBET processes the following customer personal data.
3.1.1.User account registration data: first name, last name, personal identification code or date of birth, e-mail address, country of residence, telephone number.
3.1.2.Customer identification data: type of the identity document, number of the document, date of issue and validity, copy of the document, results of the personal data check from the Estonian Tax and Customs Board gambling self-exclusion list, the list of sanctioned persons and the OLYBET casino exclusion list, country of residence, residential address.
3.1.3.Anti-Money Laundering and terrorist financing (AML) data: first name, last name, user ID, personal identification code or date and place of birth, home address, information on being a politically exposed person, source and origin of known funds, occupation, copy of identity document, other data on the person’s assets from public databases.
3.1.4.Gambling data: self-exclusion data, gambling restriction data, user ID, stake ID, currency, stake amount, current account status, game ID, trader ID, stake type, stake status, expected maximum winning amount, date of results, winning amount, payout, login data, IP address, time and date of starting and terminating the use of the gaming environment.
3.1.5.Transfer details: first name, last name, IBAN or 4 final digits of the card number, amount of the transfer or card payment, place and time of the transaction.
3.1.6.Marketing data: e-mail and/or mobile phone number, language of communication, product/service preference, consent to direct marketing, message content, date and time of message.
3.1.7.Communication data: user ID, message timestamp, message content, user contact details.
3.1.8. Visit data: IP address (including location based on IP address), Internet service provider, referrer URL, date, time, access token, session key, web browser type and version, operating system, amount and status of data transmitted, MAC address;
3.2. OLYBET does not process special categories of personal data related to the customer (data concerning racial or ethnic origin, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data).
3.3. Depending on the purpose and nature of the processing, OLYBET collects personal data related to the customer from the customer, the customer’s Internet service provider, publicly available sources, and third parties such as public authorities, national databases, payment service providers, e-wallet providers, banks, and from Acuris Risk Intelligence LTD, an intermediary of a database concerning the verification of politically exposed persons and sanctions.
4. Legal basis and purposes of the processing of personal data
4.1. The legal bases for the processing of the customer’s personal data are: performance of statutory obligations, performance of contractual obligations, the data subject’s consent and OLYBET’s legitimate interest.
4.2. The purposes of processing the customer’s personal data are: fulfilling the customer’s registration obligation, fulfilling the customer’s identification obligation, fulfilling the obligation of registering the customer’s financial transaction, fulfilling the "know your customer" requirement, providing gambling services, marketing OLYBET services/products, handling customer feedback, determining the customer’s risk profile, expanding the customer base, building customer loyalty and providing added value, maintaining the poker leaderboard, managing OLYBET resources, improving the gaming environment and website, monitoring work processes and staff, fraud prevention and detection, archiving OLYBET documents, handling whistleblowing reports.
4.3. In the case of data processing for the performance of statutory or contractual obligations, the customer is obliged to provide such personal data. Failure to provide such data will prevent OLYBET from fulfilling its contractual or statutory obligations and will limit the customer’s ability to use the services offered.
4.4. Where OLYBET processes personal data on the basis of legitimate interest, OLYBET has assessed that its legitimate interest in processing personal data for certain purposes outweighs the interests and rights of the customer.
5. Profiling and automated decision-making
5.1. Profiling is used in the following processes and is based on the following logic.
5.1.1.Marketing the services/products offered by OlyBet and Olympic Casino, taking into account the volume of customer visits, services and games used.
5.1.2.Determining the risk profile of the customer taking into account the customer’s last 365 days of visits, game and payment statistics. On the basis of the risk profile, OLYBET may ask for proof of the customer’s income, failing which OLYBET has the right to restrict the customer’s access to the services offered in the gaming environment.
5.2. Automatic decisions are used in the following processes and based on the following logic.
5.2.1.Identifying you and verifying your access to the gaming environment when you open a user account on the websites. When you register as a user of the gaming environment on the websites, we will automatically verify that you meet the requirements to open a user account and access the gaming environment. The automated decision-making involves the analysis of your personal data, including, but not limited to, the processing of your date of birth (age), personal identification code, nationality, self-exclusion data and gambling restriction data. As a result of the automated decision, your account and access to the gaming environment will be approved or denied.
5.2.2.Verification of user payment transactions. Pursuant to applicable legislation, OLYBET is obliged to verify whether your payment account details correspond to the details you provided to use the gaming environment. The automated decision-making process primarily includes the processing of your bank account details (name, bank account number). The relevant data is usually provided to us directly by you or your payment service provider. As a result of the automated decision, the transfer of funds to you or your user account will be approved or denied.
5.2.3.Risk and compliance assessment concerning game rules and other rules of the gaming environment. In accordance with the game rules, OLYBET does not allow cooperation between customers and therefore takes active measures to prevent the use of scripts, robots and other devices and methods that violate the rules of fair gaming. In order to prevent fair play violations and non-compliance, we analyse your activities on the websites and in the gaming environment. We base our analysis primarily on visit and gaming data as defined in sections 3.1.4 and 3.1.7 above. We compare these to the data we have previously collected or obtained from a third party service provider about you or your device. As a result of automated decisions, OLYBET and/or the involved gaming service provider (which processes the relevant data in aggregated form based solely on the user ID) may restrict access to features of the gaming environment (for example, cancel repetitive stakes placed from the same IP address or shared address, limit maximum stake amounts or take other measures) if analysis identifies a risk or violation of the rules.
5.2.4.Fraud detection. Applicable legislation obliges OLYBET to detect and prevent money laundering and fraudulent activities. For this purpose, OLYBET or the anti-fraud service provider will compare your device’s network identifiers (for example, visit data and cookie data as defined in sections 3.1.7. and 3.1.9.) and gaming data (see section 3.1.4. above) with similar previously collected data about you or your device used to visit websites. In the event that your user account is identified as being linked to fraud or money laundering, OLYBET may, as a result of an automated decision, restrict access to the gaming environment (for example, block or ban your user account).
5.2.5.In general, automated decisions described in section 5.2 are made without human intervention. When making decisions as defined in 5.2.3 and 5.2.4, you have the right to direct personal contact; the right to express your views on the decision and the right to challenge the decision.
6. Transmission of personal data
6.1. In order to provide services and/or to fulfil its legal obligations, OLYBET uses partners as personal data processors, who process data based on and to the extent of the instructions given by OLYBET.
6.2. When processing personal data, OLYBET will transfer your personal data to the following recipients, which may be either data controllers or processors: gaming service providers (user ID and IP address only), public authorities, courts, banks, auditors and legal advisors, insurance companies, analytics service providers, fraud detection and prevention service providers, customer authentication service providers, survey service providers, archiving service providers, information transmission and communication service providers, PEP and sanction verification database intermediaries, poker tournament management software providers, streaming service intermediaries, whistleblowing platform operators.
6.3. If the OLYBET partner processing the data is located outside the European Union, the safeguards to be used for the transmission of personal data are: an adequate level of data protection in the recipient country in accordance with the European Commission’s decision, or the use of standard contractual clauses for data protection developed by the European Commission in the cooperation agreement (click on the relevant link for more information).
6.4. The joint controller of customer data is the Olympic Casino operator Olympic Entertainment Group AS (address Pronksi 19, Tallinn 10124, Estonia, +3726671250, [email protected]), which is part of the same group as OLYBET, with whom OLYBET processes customer data for the purposes of marketing services/products, determining the customer’s risk profile and managing OLYBET’s resources. The parties have entered into an agreement to this effect.
7. Time limits for the retention of personal data
7.1. The personal data of a customer is retained until the purposes of the processing have been fulfilled or until the obligations arising from the legislation have been fulfilled.
7.2. In accordance with the legislation, OLYBET must retain registration, identification, AML and gaming data for at least 5 years after the last login of the customer. Generally, after 5 years, the customer’s personal data will be deleted from the user account, but the non-personalised gaming data will remain. If the personal data is not deleted after 5 years from the last login, OLYBET has assessed that it has a legitimate interest in retaining all or part of the data, in which case OLYBET will not retain the relevant data for longer than OLYBET needs to fulfil its legitimate purposes.