Privacy policy

INTRODUCTION

FAVORIT SPORTSKA KLADIONICA doo from Zagreb, Draškovićeva 45, OIB 78977247105, pays particular attention to the protection of personal data and privacy (hereinafter: privacy protection) of its clients, suppliers, employees and other entities with which it enters into relations (hereinafter: clients), in accordance with applicable regulations (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and the Act on the Implementation of the General Data Protection Regulation) and best European practice. Protecting the privacy of our clients is an integral part of our services and way of doing business.

With our privacy policy, we want to provide clear information about the processing and protection of personal data processed by Favorit sportska kladionica doo and enable clients to easily monitor and manage their personal data and consents.

This Privacy Policy applies from February 2025 and describes what personal data the company Favorit sportska kladionica doo collects, how it processes it and for what purposes it uses it, for how long and how it stores it, as well as the rights of clients (respondents) related to their personal data.

Personal data controller:

FAVORIT SPORTSKA KLADIONICA doo Zagreb, Draškovićeva ulica 45,

OIB: 78977247105

Email: [email protected]

Telephone: 01 6286 668

Personal Data Protection Officer:

FAVORIT SPORTSKA KLADIONICA doo Zagreb, Draškovićeva ulica 45,

OIB: 78977247105

e-mail: [email protected]

1. Scope of application

The Privacy Policy applies to all personal data that Favorit sportska kladionica doo collects, uses or otherwise processes, directly or through its partners. Personal data is any information relating to a natural person whose identity is determined or can be determined, directly or indirectly.

Data processing is any operation performed on personal data, such as collection, recording, storage, use, transfer of personal data, insight into personal data, etc.

Favorit sportska kladionica doo is the data controller in relation to the personal data of its clients in terms of applicable personal data protection regulations.

The privacy rules apply to all natural persons who enter into a relationship with the company Favorit sportska kladionica doo in any respect.

2. Principles of personal data processing

Trustworthiness

Favorit sportska kladionica doo wants to be completely transparent and clear regarding the processing of clients' personal data, which is the purpose of these Privacy Rules, and to have a relationship with its clients based on trust.

Lawfulness of data processing

When processing personal data, Favorit sportska kladionica doo acts in accordance with the law - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the Act on the Implementation of the General Data Protection Regulation ("Official Gazette" No. 42/18) and internal rules and procedures relating to the protection of personal data.

Limited purpose of processing

Favorit sportska kladionica doo collects and processes personal data only for a specific and lawful purpose and further processes them only in a manner that is consistent with the purpose for which they were collected.

Data reduction

We always use only customer data that is appropriate and necessary to achieve a specific legitimate purpose, and no more data than that.

Integrity and confidentiality

Personal data is processed securely, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage (only authorized persons who need it to perform their jobs have access to personal data, but not other employees).

Quality of personal data

We attach great importance to the personal data we process. The personal data we process must be accurate, complete and up-to-date, and it is therefore important that clients notify us of any changes to their data immediately or as soon as possible.

Limited storage time

We collect, store and process personal data for as long as prescribed by the law on which the obligation to collect personal data is based, for as long as determined by consent, which clients are informed about when signing the consent itself, or for as long as determined based on the previously established legitimate interest of Favorit sportska kladionica.

3. Method of collecting personal data

Favorit sportska kladionica doo collects personal data directly from clients. There is a legal basis for each processing of personal data. The legal bases on which the processing of personal data is based are: the legal obligation of the controller, the processing is necessary for the performance of the contract, or the processing is carried out at the request of the client for the purpose of carrying out preparatory actions prior to the conclusion of the contractual relationship, the client's consent, the legitimate interest of the controller or the request of a public authority. In accordance with the Regulation, when we base the processing of personal data on a legitimate interest, we conduct a proportionality test in order to determine the existence of a legitimate interest.

44. Purpose and processing of personal data:

Data is processed fairly and legally, and is not collected to a greater extent than is necessary.

We also collect and process personal data in cases specified by law for the purpose of fulfilling legal or contractual obligations and/or with the user's consent for the purpose for which they gave consent and/or for the purpose of concluding and executing a contract concluded between the user and FAVORIT, or on the basis of our legitimate interest; as well as in other cases specified by law.

The collected personal data is used for:

• provision of our services / execution of the contract
• identification purposes and verification
• statistical analysis and research
• regulatory and legislative compliance
• marketing, profiling and market research
• protection of our rights and property
• protection of minors through the prohibition of participation in games of chance
• protection of persons and property in our casino and branches (betting shops)

5. Types of data we collect

Below is a list of what personal data we collect, the legal basis on which we collect it, and how long we store it.

5.1. Contractual data

Favorit sportska kladionica doo may collect the following personal data for the purposes of contract execution, intention to conclude a contract, business negotiations, etc.:

• Name and surname of natural persons, representatives of companies or owners of real estate and the like, i.e. name and surname of natural persons with whom we conclude a contract
• OIB
• Residence
• Email address
• Real estate ownership information
• Data on the giro/current account number
• The fact whether a natural person (president of the board, director, members of the board/supervisory/management board, beneficial owner) or the legal entity itself is on a particular sanction list of the United Nations, the European Union, the Government of the Republic of Croatia or other international organizations, or whether restrictive measures are applied to any of these persons in accordance with the Law on Restrictive Measures ("Official Gazette" No. 133/23) - we collect the aforementioned data on the legal basis arising from the Law on Restrictive Measures, and not as data necessary for concluding a contract (they are listed here only because they are collected for the same purpose - the purpose of concluding a contract)

This data is kept for the period prescribed by the respective Act depending on the type of contract concluded, the period required for the execution of the contract, and after the expiry of that period it is deleted. In relation to contractual relationships under which Favorit sportska kladionica company permanently acquires some property for itself, the aforementioned contracts (and accordingly the above-mentioned data) are kept permanently, while we keep data from other contracts for 11 years from the last payment made under the contract, all in accordance with accounting regulations. In the event that the client refuses to provide some of the requested data, which is necessary for the execution of the contract, Favorit sportska kladionica doo reserves the right to refuse to enter into a business relationship with the client. Also, if, before entering into a business relationship, we determine that a natural or legal person is on a particular sanctions list of the United Nations, the European Union, the Government of the Republic of Croatia or other international organizations, or that restrictive measures are applied to that person in accordance with the Law on Restrictive Measures, in accordance with the aforementioned Act, we may not enter into a business relationship with that person, or, if we are already in a business relationship with that person, we must exit it immediately upon learning of the aforementioned fact.

5.2. Personal data collected in the Casino:

We are obliged to collect data on a legal basis (the Law on Games of Chance in relation to the data that the organizer is obliged to collect when registering players in a casino; the Law on Anti-Money Laundering and Terrorism Financing in relation to the same data with the addition of a copy of the identity card collected according to that Law, and the Law on Games of Chance and the Ordinance on Spatial and Technical Conditions for Organizing Games of Chance in Casinos, on Slot Machines and Betting Deposit Sites in relation to data collected by the video surveillance system) when a client accesses the casino premises, or during the client's stay in the casino, and certain data are a condition for access to the casino premises and games of chance organized in the casino premises or a condition for making a deposit/withdrawal of the client's amount (when the amount is EUR 2,000.00 or more):

• first and last name
• residence
• date and place of birth,
• identification document number, number and name of the document issuer
• a copy or scan of an identification document (for the purposes of conducting an in-depth analysis in accordance with the Law on Anti-Money Laundering and Terrorism Financing in the case of payment/disbursement in the amount of EUR 2,000.00 or more)
• a copy or scan of an identification document (based on the legitimate interest of the data controller during the first registration of the client upon entering the casino)
• date and time of entering the casino
• photograph of the player's face (based on the legitimate interest of the controller)
• personal identification number (OIB)
• citizenship
• data on participation in games of chance (deposits and withdrawals)
• data on political exposure (when completing the form on political exposure of persons in accordance with the Law on Anti-Money Laundering and Terrorism Financing)
• method of exposure (when filling out the form on political exposure of persons in accordance with the Law on Anti-Money Laundering and Terrorism Financing)
• type of public duty (when filling out the form on political exposure of persons in accordance with the Law on Anti-Money Laundering and Terrorism Financing)
• basis of political exposure - public office, family member, close associate (when filling out the form on political exposure of persons in accordance with the Law on Anti-Money Laundering and Terrorism Financing)
• data on the duty performed (when filling out the form on political exposure of persons in accordance with the Law on Anti-Money Laundering and Terrorism Financing)
• date of appointment or time of performance of prominent public office (when completing the form on political exposure of persons in accordance with the Law on Anti-Money Laundering and Terrorism Financing)
• source of assets (when completing the form on political exposure of persons in accordance with the Law on Anti-Money Laundering and Terrorism Financing),
• The fact whether a natural person is on a particular sanctions list of the United Nations, the European Union, the Government of the Republic of Croatia or other international organizations, or whether restrictive measures are applied to any of these persons in accordance with the Law on Restrictive Measures ("Official Gazette" No. 133/23.)

The retention period for personal data collected during registration is prescribed by the Law on Games of Chance and is 10 years in relation to the above data.

We are obliged to keep the data that we are required to collect when conducting customer due diligence (for deposits or withdrawals in an amount equal to or greater than EUR 2,000.00) for 10 years, in accordance with the Law on Anti-Money Laundering and Terrorism Financing. When conducting due diligence, we will collect the same set of data as when registering upon entry, with the only difference being that when conducting due diligence, we will collect a copy or scan of the identification document on the legal basis, while when registering a user, we collect the same personal data on the basis of our legitimate interest.

We collect data on whether a natural person is on a particular sanction list of the United Nations, the European Union, the Government of the Republic of Croatia or other international organizations, or whether restrictive measures are applied to any of these persons in accordance with the Law on Restrictive Measures ("Official Gazette" No. 133/23.) by comparing the above-mentioned and collected data with data from current and publicly published consolidated lists of the United Nations, the European Union and decisions made by the Government of the Republic of Croatia. We carry out the aforementioned check during the registration of each user and after registration, on a daily basis, given the fact that, pursuant to the Act, we are obliged to disable registration for a user who is on a sanction list, or to terminate the business relationship with a previously registered user if he is subsequently included on one of the lists after registration.

We collect your photo during your first registration in the casino based on our legitimate interest for the purpose of easier identification each time you come to the casino.

5.3. Personal data collected during registration for online betting and online casino

Based on the obligations arising from the Law on games of chance, the Ordinance on the organization of games of chance in casinos through interactive online gaming sales channels, the Ordinance on the organization of remote betting games and the Law on Anti-Money Laundering and Terrorism Financing, we are obliged to collect the following personal data:

• username chosen by the player
• the password that the player will use when accessing the website
• player's email address
• player's first and last name
• player's date of birth
• player's residential address
• city and postal code (optional)
• Player's OIB
• player's (mobile) phone number
• player's bank account number (IBAN)
• data on political exposure (when completing the form on political exposure of persons in accordance with the Law on Anti-Money Laundering and Terrorism Financing)
• method of exposure (when filling out the form on political exposure of persons in accordance with the Law on Anti-Money Laundering and Terrorism Financing)
• type of public office (when filling out the form on political exposure of persons in accordance with the Law on Anti-Money Laundering and Terrorism Financing)
• basis of political exposure - public office, family member, close associate (when filling out the form on political exposure of persons in accordance with the Law on Anti-Money Laundering and Terrorism Financing)
• data on the duty performed (when filling out the form on political exposure of persons in accordance with the Law on Anti-Money Laundering and Terrorism Financing)
• date of appointment or time of performance of prominent public office (when completing the form on political exposure of persons in accordance with the Law on Anti-Money Laundering and Terrorism Financing)
• source and funds that are the subject of the transaction
• source of assets (when completing the form on political exposure of persons in accordance with the Law on Anti-Money Laundering and Terrorism Financing)
• copy of ID card (for due diligence purposes to prevent money laundering and terrorism financing)
• the fact whether a natural person is on a particular sanctions list of the United Nations, the European Union, the Government of the Republic of Croatia or other international organizations, or whether restrictive measures are applied to any of these persons in accordance with the Law on Restrictive Measures ("Official Gazette" No. 133/23.)

This data is kept for the period prescribed by the Law on Games of Chance, i.e. for a period of 10 years. Data collected pursuant to the Law on Anti-Money Laundering and Terrorism Financing is also kept for 10 years. The stated periods begin to run upon termination of the business relationship with us.

We are required to keep all data on player deposits and withdrawals for 11 years in accordance with accounting regulations.

We collect data on whether a natural person is on a particular sanction list of the United Nations, the European Union, the Government of the Republic of Croatia or other international organizations, or whether restrictive measures are applied to any of these persons in accordance with the Law on Restrictive Measures ("Official Gazette" No. 133/23.) by comparing the above-mentioned and collected data with data from current and publicly published consolidated lists of the United Nations, the European Union and decisions made by the Government of the Republic of Croatia. We carry out the aforementioned check upon registration of each user and after registration, on a daily basis, given the fact that, pursuant to the Act, we are obliged not to enable registration to a user who is on a sanction list, or to terminate the business relationship with a previously registered user if he is subsequently included on one of the lists after registration.

After the above deadlines, all the aforementioned data will be deleted. If the user refuses to provide the aforementioned personal data, he/she will not be able to participate in games of chance.

Online betting ie. the interactive organization of games of chance is based on the processing of the following data:

• participation data
• data on access and use of the system
• financial transaction data, including the history of deposits/withdrawals when participating in games of chance (history of deposits/withdrawals, the amount of each deposit/withdrawal, type of deposit/withdrawal, history of winnings and losses, and data on all deposits to the I-konto and data on all amounts withdrawals from the I-konto to the player's registered account)
• user self-exclusion data
• information about self-setting the maximum amount a player can play/deposit
• information about user account settings and changes to them

We collect and process the aforementioned data based on the aforementioned legal provisions of the Law on Games of Chance and accompanying regulations, the Law on Anti-Money Laundering and Terrorism Financing and the Law on Restrictive Measures, as well as accounting regulations.

The aforementioned data are kept for the period required for the execution of the contract or based on legal provisions, and the data are deleted after the contractual or legal period expires.

As a necessary condition for the execution of the contract for organizing games of chance through online and interactive sales channels between the organizer and you, as the user, personal data is in certain cases, when necessary, transferred to third countries to the controller, and on the basis of the contract for the processing of personal data and the application of standard data protection clauses.

5.3.1. Automatic data processing and anonymization

In the online organization of games of chance, in some cases we apply automatic processing of client data.

The company Favorit sportska kladionica doo internally processes personal data that are necessary for the normal functioning of the system of organizing games of chance through online and interactive channels. Personal data is anonymized, and in daily business all client data is processed anonymously.

The data is processed with the aim of organizing games of chance and certain processing of client data analysis has the goal of improving business, raising the quality and level of services and increasing the satisfaction of our clients, and is not used for other purposes that are not specified in this Policy.

Access to personal data is only possible through direct access to the database and logs by an authorized administrator or by specially assigned authorizations of individual employees. Each access is recorded. Access to data is intended to establish the technical correctness of the entire online gaming system.

5.3.2. When contacting customer support

Data collected when contacting customer support is processed with the aim of helping users solve problems, providing necessary information and ensuring a positive user experience. Data processing is carried out in accordance with applicable personal data protection regulations, and its purpose is to ensure user satisfaction and successfully provide service of the organization.

When contacting customer support by email or via chat on the website www.favbet.hr, the following data may be collected:

• Email address – to enable further communication and feedback to the user.
• First and last name – if the user decides to voluntarily sign the message or provide this information in the communication.
• Any other personal information – that the user voluntarily provides or leaves during communication with customer support.

Contacting us, as the data controller, in any of the above-mentioned ways is considered your consent to the collection of the personal data that you voluntarily provide to us in these conversations.

When contacting customer support by phone, conversations are recorded based on the legitimate interest of the data controller.

The recording of conversations is carried out with the aim of:

• ensuring the quality of services,
• improvement of user experience,
• documenting the information provided,
• protection of rights and interests of users and organizations.

All collected data is used exclusively for the stated purposes and is processed in accordance with data protection rules, ensuring its confidentiality and security.

5.3.3. During photo identification (photo verification)

When registering users on our website www.favbet.hr, we use a video electronic identification system for the purpose of faster and more accurate user registration and verification. The aforementioned video electronic identification is carried out in accordance with the Regulations on remote customer introduction and the minimum requirements that must be met by a solution that establishes and verifies the identity of a remote customer, which regulations were adopted pursuant to the Law on Anti-Money Laundering and Terrorism Financing and which prescribes the minimum technical requirements that must be met by video electronic identification means.

The aforementioned video electronic identification is carried out based on your consent as a user, all given the fact that your biometric data is collected during the video electronic identification process. Consent is free and you are not obliged to give it. In any case, you can carry out identification without having to participate in the video electronic identification process, by visiting our nearest branch - betting shop.

Types of personal data processed in the video identification process:

• Photo of the person (from passport or ID card)
• Picture of a person's face (5 photos)
• Passport data:
  • Name
  • Surname
  • Other name
  • Date of birth
  • Date of issue
  • Expiration date
  • Citizenship
  • Residence
  • Personal identification number
  • Sex
  • Signature
  • Passport number
• ID card information:
  • Name
  • Surname
  • Other name
  • Date of birth
  • Date of issue
  • Expiration date
  • Citizenship
  • Residence
  • Personal identification number
  • Sex
  • Signature
  • ID number
• Photo of a document containing a person's face

You can find more about the video identification process at the following link.

5.4. Personal data collected when visiting the website

The following data is collected from each visitor to the website, in order to improve the user experience and system security:

1. time and date of website visit
2. pages that the visitor views
3. type of internet browser
4. Computer IP address
5. cookie ID whose collection you have allowed by consent
6. device type and operating system version
7. other (depending on the cookies you have allowed on your device)

The above data is collected through so-called "cookies" active on our website. The data is collected based on your consent (in the settings you select the cookies you want to have active on your device - your selection represents the consent you give us, as the data controller, to process the types of personal data collected by the cookies you have allowed to be selected). You can read more about cookies at the following link.

5.5. Personal data collected through video surveillance

For the purpose of protecting the persons and property of employees, users, players and visitors, video surveillance is used. It is installed in accordance with the following regulations:

• The Law on Games of Chance and the Ordinance on Spatial and Technical Conditions for Organizing Games of Chance - for video surveillance in casinos.
• Law on the Protection of Financial Institutions - for video surveillance in betting shops.
• Legitimate interest of the data controller – for video surveillance at the company's headquarters and in areas intended for employees in casinos and betting shops.

Video surveillance is installed at the entrance and inside the facilities, including the casino, betting points and the company's headquarters, and is based on a project approved by an authorized entity.

Recordings are stored on separate hard drives located in separate locations. Access to this data is strictly limited and enabled only at the request of competent state authorities. Such information is submitted exclusively with the official record.

The retention period for recordings varies depending on the location:

• In casinos, recordings are kept for 60 days.
• In betting shops, recordings are kept for 7 days.
• At other locations under the management of the data controller (on the basis of legitimate interest), recordings are kept for 30 days.

5.6. Personal data collected based on the obligation under the Law on Anti-Money Laundering and Terrorism Financing

When it comes to transactions (payments/withdrawals related to games of chance) for which, in accordance with the Law on Anti-Money Laundering and Terrorism Financing, it is mandatory to keep prescribed records, we are obliged to collect the following data:

• first and last name
• residence,
• day, month and year of birth,
• personal identification number if visible from the identification document,
• name and number of the identification document,
• name and country of the issuer,
• citizenship/citizenships
• scan/photo/copy of identification document

For players who are politically exposed persons, the following data is also collected:

• Basis of political exposure (public office, family member, close associate)
• Information about the duties performed
• Date of appointment or time of holding a prominent public office
• The source and funds that are the subject of the transaction

The data is kept for the period prescribed by individual laws, i.e. for a minimum period of 10 years from the date of termination of the business relationship, and will be deleted upon expiry of that period. When the user refuses to provide personal data prescribed by law, the organizer is obliged to refuse to provide the service to the user, i.e. to suspend the transaction and inform the Anti-Money Laundering Office and to deny access to the premises where it organizes games of chance (betting shop, casino), as well as participation in online games of chance.

5.7. Personal data collected when establishing an employment relationship

Data processing based on legal basis

We use this legal basis for data processing in relation to all personal data that we collect from you at the time of establishing an employment relationship based on labor law regulations. Namely the Labour Act ("Official Gazette" no. 93/14, 127/17, 98/19, 151/22, 64/23), the Regulation on the Content and Method of Keeping Records of Employees ("Official Gazette" no. 55/24). and accounting regulations, regulations in the field of tax law and health insurance, which refer to the registration/deregistration of workers, prescribe obligations that we as an employer must fulfill.

• first and last name
• OIB
• sex
• day, month and year of birth
• citizenship
• residence or domicile
• residence and work permit or work registration certificate, if the third-country national worker is required to have one
• professional education and special exams and courses that are a requirement for performing the job, credentials, licenses, certificates, etc.
• start date
• job title, or the nature or type of work for which the worker is employed
• type of employment contract concluded
• date and reason for termination of employment, or termination of work for seconded workers
• date of application submission (start, change, termination) for mandatory insurance of workers as insured persons based on employment, including voluntary pension insurance, if the employer participates in paying for it, and mandatory health insurance while working abroad
• all employment contracts in writing or a confirmation of the employment contract concluded with the employee, all amendments and supplements to the employment contract
• agreements between employer and employee, consents and written statements of employees, decisions on dismissal
• forms for registration (start, change, termination) of mandatory pension and health insurance
• public and private documents that provide evidence of the accuracy of data on professional education, training, advanced training and other data on which the exercise of rights and obligations arising from or in connection with the employment relationship depends
• public and private documents, decisions, certificates, calculations, etc. related to the obligations of calculation and payment of salary, and payment of taxes and contributions
• decisions, private documents, certificates, records, etc. related to safety and protection at work, injuries at work and occupational diseases
• decisions, private documents, certificates, etc. related to the exercise of pension insurance rights, including rights based on insurance years calculated with an increased duration
• decisions, private documents, certificates, records, etc. related to exercising rights under mandatory health insurance
• public and private documents, decisions, certificates, etc. related to the exercise of the right to personal care or any other right from general labor regulations, as well as the exercise of maternity and parental rights
• requests from workers for protection of employment rights, with decisions, acts and letters of the employer issued in the proceedings regarding such requests
• other documents and acts related to the exercise of rights from the employment relationship, i.e. in connection with the employment relationship
• CV and job application
• copy of certificate, diploma and other proof of professional training
• tax card
• ID card information or passport copy, bank account information
• Certificate of service with the HZMO
• work and residence permit in the case of a worker who is a foreign citizen
• signed confidentiality statement
• signed statement of employee consent to receive salary, salary compensation and severance pay documents electronically
• signed consent of the employee for the processing of certain types of personal data for certain purposes
• a copy of the lease agreement for an employee for whom the Employer bears the housing costs, an agreement regulating rights and obligations under the apartment lease agreement
• certificate of training for safe work
• for workers who were temporarily assigned to the employer by companies affiliated with it and for workers who were assigned to the employer as a beneficiary by temporary employment agencies, the following additional documentation must be submitted:
  • the assignment agreement between the employer and the related employer and the written consent of the employee
  • the assignment agreement between the agency and the beneficiary and the referral by which the temporary employment agency refers the worker to the beneficiary
  • certificates of professional competence in accordance with obligations under occupational safety regulations
  • other documents and acts related to the realization of rights from the employment relationship, i.e. in connection with the employment relationship and rights based on the assignment of workers.
• written review of employee data

We store data collected in this way in accordance with legal retention periods, while we store employee payrolls permanently, and we store all payments made to employees (including the personal data of employees related to such payments) in accordance with accounting regulations for 11 years from each payment made.

The legal retention periods for the aforementioned data are as follows:

5.8. Personal data collected when applying for a job vacancy

The personal data we collect and process are as follows:

• general and contact information (name and surname, date of birth, residential address, telephone and/or mobile phone number, email address, personal photo, skills, URL to social network profile, e.g. LinkedIn (optional) and other information specified in the CV and/or application)
• data on competences (academic education, work experience, knowledge of certain technologies and solutions, knowledge of certain business processes, organizational skills, teamwork, hobbies, knowledge of foreign languages)
• In the event that we invite you to an interview, we use data on the results of the interview
• IP address (if applying through the TalentLyf site)
• Internet browser information (if you are registering via the TalentLyf website)
• cookies (mandatory/technical and statistical with your consent) (if you are registering via the TalentLyf website)

Legal basis for the collection and processing of personal data:

• Taking action at your request before concluding an employment contract (§6.1(b) GDPR) – participation in the job application process
• Consent to store the personal data of the data subject for the purpose of contacting them for future job vacancies that match the data subject's qualifications (§6.1(a) of the General Data Protection Regulation) - if, after a completed application process (in which you were not selected for the applied position), you give us your consent allowing us to continue to process your personal data for the purpose of contacting you again.

5.9. Processing of personal data when accessing the Favbet betting mobile application

All services related to online betting and casino can be used in addition to the above-mentioned ways through our application - Favbet kladionica, by downloading it through the Google Play or the App Store service.

When accessing the application via your mobile device or tablet, the application collects and processes the following types of personal data:

• Username
• Email address
• Address
• Mobile phone number
• Location
• History of deposits/withdrawals when participating in games of chance (history of deposits/withdrawals, amount of each deposit/withdrawal, type of deposit/withdrawal, history of winnings and losses)
• Data on all deposits to the I-konto and data on all withdrawals from the I-konto to the player's registered account
• IP address of the computer
• ID of cookies whose collection you have allowed by giving consent
• data on self-exclusion of the user
• data on self-setting of the maximum amount that the player can play/deposit
• type of device and version of the operating system

The aforementioned data is collected based on your user entry, or your selection of options on the application (for example: choosing consent to process certain types of personal data).

We collect and process the above-mentioned data based on the legal provisions of the Law on Games of Chance and accompanying regulations, the Law on Anti-Money Laundering and Terrorism Financing and the Law on Restrictive Measures, as well as accounting regulations (as stated in chapter 5.3 of this Policy and below in the text of this chapters).

The above-mentioned data are kept for the period necessary for the execution of the contract with you as a player or based on legal provisions, and the data is deleted after the expiry of the contractual or legal period. If any of the data is collected based on your consent, as a player, the data is deleted after the period specified in the consent.

As a necessary condition for the execution of the contract for organizing games of chance through online and interactive sales channels between the organizer and you, as the user, personal data collected from you via the application or the website (if you have registered and participate in games of chance via the website), in certain cases, when necessary, are transferred to processors, based on a personal data processing agreement and the application of standard data protection clauses (if the processors are located in third countries for which there is no European Commission adequacy decision). Below we provide the categories of processors (third parties) with whom we share data collected through the application:

• Online betting platform service provider
• Providers of software solutions for online games of chance that we provide through the online betting platform
• Software systems and solutions that we use in our daily business for the purpose of accounting and bookkeeping and HR-related tasks
• Payment system service providers (for example: CorvusPay and AirCash)
• Analytics software (for example: Firebase SDK, AppsFlyer SDK, Optimove SDK)
• Competent state bodies for the purpose of fulfilling legal obligations or for the purpose of fulfilling the requirements of public authorities (Ministry of Finance, Ministry of the Interior, Anti-Money Laundering Office, Ministry of Labour, Pension System, Family and Social Policy, Personal Data Protection Agency, police departments, courts, state attorney's offices, etc.)

Also, if you communicate with customer support through the application or give your consent to carry out the procedure specified in section 5.3.3. of this Policy, the application will also ask you for the necessary permission to access the camera, all in order to enable you to carry out the specified procedures, i.e. take photos and then, through the application, forward the photos to us. Therefore, the purpose of the aforementioned access to the camera is to carry out the photo verification process of you as a user and upload a personal document on the basis of which the identity of the photo of your face with the photo of your personal document is checked. Also, you may wish to forward a photo of a specific situation/document to customer support during communication regarding the request.

The application may only be used by adults. Age is verified during the registration of each individual user, by entering all the necessary data specified in section 5.3. of this Policy - if the person is a minor, the system will notify the Tax Administration, based on the entered OIB (personal identification number), that the person is a minor and will not allow registration.

Furthermore, if you use the application to register as our user for the first time, we will also collect the following personal data through the application, all based on the obligations arising from the Law on Games of Chance, the Ordinance on the organization of games of chance in casinos through interactive online gaming sales channels, the Ordinance on the organization of remote betting games and the Law on Anti-Money Laundering and Terrorism Financing:

• username chosen by the player
• the password that the player will use when accessing the website
• player's email address
• player's first and last name
• player's date of birth
• player's residential address
• city and postal code (optional)
• Player's OIB
• player's (mobile) phone number
• player's bank account number (IBAN)
• data on political exposure (when completing the form on political exposure of persons in accordance with the Law on Anti-Money Laundering and Terrorism Financing)
• method of exposure (when filling out the form on political exposure of persons in accordance with the Law on Anti-Money Laundering and Terrorism Financing)
• type of public office (when filling out the form on political exposure of persons in accordance with the Law on Anti-Money Laundering and Terrorism Financing)
• basis of political exposure - public office, family member, close associate (when filling out the form on political exposure of persons in accordance with the Law on Anti-Money Laundering and Terrorism Financing)
• data on the duty performed (when filling out the form on political exposure of persons in accordance with the Law on Anti-Money Laundering and Terrorism Financing)
• date of appointment or time of performance of prominent public office (when completing the form on political exposure of persons in accordance with the Law on Anti-Money Laundering and Terrorism Financing)
• source and funds that are the subject of the transaction
• source of assets (when completing the form on political exposure of persons in accordance with the Law on Anti-Money Laundering and Terrorism Financing)
• copy of ID card (for due diligence purposes to prevent money laundering and terrorism financing)
• the fact whether a natural person is on a particular sanctions list of the United Nations, the European Union, the Government of the Republic of Croatia or other international organizations, or whether restrictive measures are applied to any of these persons in accordance with the Law on Restrictive Measures ("Official Gazette" No. 133/23.)

Above-mentioned data is kept for the period prescribed by the Law on Games of Chance, i.e. for a period of 10 years. Data collected pursuant to the Law on Anti-Money Laundering and Terrorism Financing is also kept for 10 years. The stated periods begin to run upon termination of the business relationship with us.

We are required to keep all data on player deposits and withdrawals for 11 years in accordance with accounting regulations.

We collect data on whether a natural person is on a particular sanction list of the United Nations, the European Union, the Government of the Republic of Croatia or other international organizations, or whether restrictive measures are applied to any of these persons in accordance with the Law on Restrictive Measures ("Official Gazette" No. 133/23.) by comparing the above-mentioned and collected data with data from current and publicly published consolidated lists of the United Nations, the European Union and decisions made by the Government of the Republic of Croatia. We carry out the aforementioned check upon registration of each user and after registration, on a daily basis, given the fact that, pursuant to the Act, we are obliged not to enable registration to a user who is on a sanction list, or to terminate the business relationship with a previously registered user if he is subsequently included on one of the lists after registration.

After the above deadlines, all the aforementioned data will be deleted. If the user refuses to provide the aforementioned personal data, he/she will not be able to participate in games of chance.

In order to protect the security of your personal data, and in accordance with the obligations arising from applicable regulations on the protection of personal data, prescribed technical measures and procedures have been taken in relation to the personal data collected through the application, and access control to personal data has been secured, with access only being provided to authorized and professional persons.

The latest security measures and technical solutions are used in the collection and processing of data through the application, which take place on our servers (databases, backups, firewalls, encryption, surveillance systems and access control systems, both physical and software content, to ensure protection against loss or misuse of your data). All communication through the application takes place using the HTTPS protocol, and the application code itself is protected in a way that prevents its disclosure.

6. Marketing

6.1. Newsletter

When creating your user account (registration), we will ask for your consent to send you information about bonuses, prizes, special offers and new products. This consent will be requested via a confirmation box on our website. We emphasize that giving consent is voluntary, that you do not need to give it to us as the data controller, and if you do give it, that you have the right to withdraw it at any time or object to such processing of personal data.

If you object to the processing of your data for marketing purposes, we will stop processing your personal data for these purposes.

To prevent receiving unwanted marketing messages, you can take one of the following actions:

• Choose the unsubscribe option available in every marketing message you receive,
• Change marketing preference settings within your user account,
• Contact our customer support department via email: [email protected]
• Contact the Data Protection Officer via email: [email protected]

Please note that it may take up to two days for your information to be removed from our marketing mailing lists, so you may continue to receive such communications for some time after you submit your request. This will not affect the sending of important messages related to your account or transactions, such as information about bets, changes to terms or security updates.

6.2. Participation in events organized by the data controller

As part of the events we organize, we use the legal basis - legitimate interest to photograph the event and publish images on our social networks. The purpose of this processing is to document and promote the event, as well as to inform the public about our activities, thereby ensuring transparency and raising awareness of our services and initiatives.

Also, in the case of prize games or similar activities, we may publish the name and surname of the winner on social networks, based on legitimate interest, for the purpose of public communication of the results and confirmation of the authenticity of the activities carried out. Also, the winners of prize games may be asked to give their consent to be photographed as winners and to publish these photos on the social networks of the data controller. The aforementioned consent is voluntary, you are not obliged to give it and not giving consent in any way cannot and will not affect your participation in the prize game or the receipt of the prize that you have validly won.

This processing of personal data is carried out with due regard to the rights and interests of the participants, while ensuring that there is no disproportionate impact on the privacy of individuals. If you believe that this processing threatens your rights or interests, you have the right to object to such processing in accordance with applicable data protection legislation. For additional information on the method of data processing or to submit a complaint, please feel free to contact us through the available communication channels:

• [email protected]
• [email protected]

6.3. Social networks

On our website you will find the icons of Facebook and Instagram. By clicking on the icons, you will be redirected to our profiles on the mentioned social networks. Our profiles are used to publish news and promotions. You will find more information about data processing by social networks in the individual privacy rules available here for Facebook pages and here for Instagram profiles.

7. Transfer of personal data to third parties

Favorit sportska kladionica doo is obliged, in certain cases, to forward your personal data collected on the basis of the legal grounds set here to competent state bodies for the purpose of fulfilling legal obligations or for the purpose of fulfilling the requests of public authorities (Ministry of Finance, Ministry of the Interior, Anti-Money Laundering Office, Ministry of Labour, Pension System, Family and Social Policy, Personal Data Protection Agency, police departments, courts, state attorney's office and similar).

8. Personal data processors

The personal data controller, Favorit sportska kladionica doo, has concluded contracts with several personal data processors, which are in line with the General Regulation and handle all personal data we transfer to them in accordance with the Regulation. The above obligations are additionally regulated by personal data processing contracts that we have concluded with them, as well as standard contractual clauses for data transfers to third countries, in cases where these processors are located in third countries outside the European Economic Area for which there is no European Commission decision on the adequacy of the transfer. In relation to all transfers of personal data to third countries, we also conduct an assessment of the transfer of personal data to these countries, in order to determine whether the aforementioned transfers meet the standards set by the General Regulation.

In the course of its daily work, the Processor has no business need, nor is it authorized, to access the personal data of the Controller. The Processor and its authorized employees are authorized to access the personal data of natural persons contained in the Controller's databases when maintaining the system and databases for the purpose of establishing the technical correctness of the system and conducting the necessary tests for this purpose.

Examples of our processors:

• Online betting platform service provider
• Providers of software solutions for online games of chance that we provide through the online betting platform
• Software systems and solutions that we use in everyday business for the purpose of accounting and bookkeeping and jobs related to personnel department
• Personal protection service providers at the casino entrance
• Payment system service providers (for example: CorvusPay and AirCash)
• Employment mediation service providers (for example: TalentLyft)
• Analytics software (for example: Firebase SDK, AppsFlyer SDK, Optimove SDK)

9. Measures to protect your personal data

In order to protect your personal data, and in accordance with the obligations arising from applicable regulations on the protection of personal data, prescribed technical measures and procedures have been taken, and access to personal data is controlled and only authorized and professional persons are allowed to do so.

The latest security measures and technical solutions are used in the collection and processing of data, which take place on our servers (databases, backups, firewalls, encryption, surveillance systems and access control systems, both physical and software content, to ensure protection against loss or misuse of your data.

9.1. Physical data protection

Physical protection encompasses a set of methods and means used to protect information system hardware from unauthorized physical access to the system itself and the use of its resources, as well as its protection from external events that cannot be predicted, e.g. lightning strikes, power outages, protection from floods, earthquakes, excessive dust, etc.

1. In accordance with applicable regulations, the company's premises are protected by technical and physical protection in the premises of the company's headquarters where the servers are located, and at casino locations. In addition to physical protection, security services are available upon automatic alarm notification to their center or upon call, after which security goes out to the field. All locations are equipped with the prescribed technical protection equipment. In addition to the automatic alarm system, some locations also have the option of manually activating a silent alarm.
2. Within the locations where the data centers are located, there is physical and digital physical access control for the protected areas.
3. The server equipment on which the data is stored is located in the server rooms which are protected in the previously mentioned ways, and in addition there are lockable server cabinets inside the room.
4. The premises of the company, especially the areas for data processing and storage (server rooms, etc.) are equipped with appropriate equipment for fire protection, which includes smoke sensors, a fire alarm system, and automatic fire extinguishing systems, while the servers are secured against voltage surges and sags, and sudden interruption of the mains supply, using an uninterruptible power supply (UPS). In addition to the primary mode of protection (UPS, Uninterrupted Power Supply) for short-term and sudden oscillations and interruptions in the mains supply.

9.2. Digital data protection

1. Password - a secret nformation that must be known in order to access certain resources, information, etc. It is used as a general mechanism of digital protection at multiple levels within an information system - for access to computers, a specific system, subsystem, application, database, protected files, archive copies, etc. Password complexity rules and periodic change policies are prescribed separately for separate applications and systems.
2. Firewall - a combination of software and hardware that isolates the internal network of an information system from the Internet, allowing some packets to pass while blocking others. It is used at all locations at the level of the entire network, as part of the available protection of network devices, and on individual computers, either as part of the operating system or additional applications installed on the computer itself or server.
3. Rules for handling network traffic are defined for each computer and network separately, depending on the communication needs of the systems located on those computers and networks, and only authorized persons have access to databases. (control via domain controller and traffic on the router)
4. Antivirus protection - includes systems for preventing the operation of viruses and other malicious applications, scripts and parts of program code, sending or receiving such applications, etc.
5. Backups – necessary to ensure uninterrupted availability and the ability to continue operating the information system due to unforeseen circumstances, e.g. in cases of natural disasters (fire, earthquake, flood, sabotage, etc.) or other causes of interruption of work.
   
   
6. When connecting two or more remote locations, VPN (Virtual Private Network) tunnels are used to protect network communication. All traffic within such a VPN tunnel is encrypted, and is not available to network users outside the two networks connected by these tunnels.
7. Computer access to all systems is restricted:
   • limiting access rights at the user account level
   • Access to databases is allowed only to authorized persons.

All with the aim of protecting the system from unauthorized access, installation of unwanted applications, unintentional data loss, etc. When possible and justified, redundancy (duplication) of critical system components is applied to increase the reliability of computer systems, both at the physical level (equipment), and at the logical and digital level. Redundant systems operate in such a way that in the event of a failure of one part of the system (component), the functionality is taken over by another identical part of the system.

10. Rights of the data subject

According to the General Data Protection Regulation (EU 2016/679), the rights of data subjects are:

Right to access data - You have the right to request information on whether we are processing your personal data, which data we are processing, and to request access (insight) to your personal data that we are processing. If it is about a larger amount of data, we could request a more precise specification of the request for the delivery of certain groups of data.

Right to rectification - If you notice that we are processing inaccurate or incomplete data about you, or if you want to change it, you have the right to request the correction of such data or the completion of incomplete personal data. In order to ensure that we always process only accurate personal data, it is necessary that you notify us about all their changes without delay.

Right to erasure (to be forgotten) - The erasure of personal data can be requested, for example, if you have withdrawn your consent to the processing of certain data, when your personal data is being processed unlawfully, or when it is no longer necessary in relation to the purposes for which it was collected or otherwise processed. However, please note that we will not be able to erase the data if it is necessary to fulfil legal obligations, contractual obligations or other legal bases under the General Data Protection Regulation. In all situations where this is possible, we will irreversibly delete all of your personal data from our systems, leaving only general statistical data that cannot be linked to your identity in any way.

Right to restriction of processing - You have the right to obtain restriction of processing of your personal data, which can be requested, for example, if you have filed an objection to the processing of the data, if you doubt the accuracy of the personal data being processed or the lawfulness of their processing, but do not want the data to be deleted, or if you still need it to exercise legal claims.

Right to data portability - If the processing is based on your consent or is carried out for the purpose of performing a contract with you and is carried out at the same time by automated means, you have the right to receive your personal data that we have collected from you. If you request this, we will transfer your personal data directly to another data controller, if this is technically feasible.

Right to object - You have the right to object at any time, given your particular situation, to the processing of personal data concerning you, for which reason we will restrict the processing of such data. We will also delete the data and stop processing it, unless we can demonstrate that there are compelling and legitimate legal grounds for retaining it. In addition, you have the right to object at any time to the processing of your personal data for purposes for which you have not given consent. After submitting your objection, your personal data will stop being processed for the stated purpose.

Right to withdraw consent - If the processing of your personal data is based on consent, you have the right to withdraw it at any time, without any negative consequences.

If you no longer wish us to process your data in any way, or if you request deletion, correction or transfer of your data, please inform us by sending an e-mail to the Data Protection Officer's e-mail address: [email protected] . The officer may contact you to verify the authenticity of your request.

The data controller is obliged to inform you regarding the correction or deletion of personal data or the restriction of processing in accordance with Article 19 of the Regulation.

In the event of a breach of your personal data, we will notify you in accordance with Article 34 of the General Regulation within a maximum of 72 hours.

For all questions, complaints, submission of requests, as well as exercising their rights related to the protection of personal data under the provisions of the Regulation, the user can contact the Personal Data Protection Officer via email at the following address:

[email protected]

or

to the data controller in writing at the address

FAVORIT SPORTSKA KLADIONICA doo, Draškovićeva ulica 45, 10 000 Zagreb

11. Complaints

The user has the option to file a complaint with the supervisory authority for personal data protection at any time:

Personal Data Protection Agency (AZOP)

Street Metela Ožegovića 16,

10 000 ZAGREB

12. Final provisions

By registering with the data controller or accessing the game in the online gaming system, the user confirms that he/she is aware of:

• the purpose and legal basis for collecting personal data, as stated in this Privacy Policy, and that in the event of refusal to provide the legally required personal data, the data controller is unable to provide the service
• the purpose and legal basis for collecting personal data, as stated in this Privacy Policy, and that in the event of refusal to provide the legally required personal data, the data controller is unable to provide the service
• that by giving his consent, they agree that their personal data may be used for the purposes specified in each individual consent they have given
• is aware of and accepts the Betting Rules, this Privacy Policy, Cookie Policy and the Rules on Responsible Gambling of the company FAVORIT SPORTSKA KLADIONICA doo Zagreb, Draškovićeva ulica 45.
• that their data, regardless of the legal basis on which they were collected and on which they are processed, may, under certain conditions, be transferred to processors in third countries, and that in situations where the transfer is made to countries outside the European Economic Area for which there is no European Commission decision on the adequacy of the transfer, the transfer of data is regulated on the basis of standard data protection clauses, prescribed and approved by the European Commission.

You can ask us at any time:

• Possibility to access the Privacy Policy
• confirmation whether data is being processed in relation to you and the possibility of reviewing personal data contained in the personal data storage system
• forwarding your personal data contained in the data storage system
• providing a list of third parties to whom personal data has been transferred, when it was transferred to them, on what basis and for what purpose
• providing information about the sources on which the records are based, what personal data the storage system contains about an individual and how it is processed
• providing information about the purpose of the processing and the type of personal data being processed, as well as all necessary explanations in this regard
• an explanation of the technical or logical-technical decision-making procedures if automated decision-making is carried out by processing an individual's personal data.

The Data Controller reserves the right to change this Privacy Policy at any time.

The data controller will publish the new version of the Privacy Policy on its website www.favbet.hr without delay, and after each change to the Privacy Policy .

In the event of a changes to the Privacy Policy, all registered users will be notified of the same by a message delivered to their user profile inbox.

Last updated: February 2025.