This document sets out the processing of your personal data and your rights under current data protection law – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the regulations implementing it, hereinafter “GDPR”.

Data processed and the use of such data may vary depending on the relation we have with you and the services requested and/or provided.

1. DATA CONTROLLER AND CONTACT DETAILS

The entity responsible for the processing of your data is GRUPO ORENES, S.L., with registered address at Avenida Alejandro Valverde, 170, C.P. 30.007 (Murcia).

If you so wish, you may contact the Data Protection Officer through the following e-mail address dpo@orenesgrupo.com or via the aforementioned postal address.

2. WHAT PURPOSES WILL WE PROCESS YOUR DATA (PURPOSE OF PROCESSING) AND ON WHAT LEGAL BASIS?

Personal data are processed in accordance with the provisions of the GDPR, on the legal basis set out below:

In the context of performance or fulfilment of contractual obligations (art. 6.1.b GDPR).

  • To perform our contractual duties towards you, including registering an account in order to use our services.
  • Processing of contracted services, as well as the fulfilment of accounting, legal, tax and administrative duties.
  • Issuing winnings certificates to players upon request.
  • Manage jackpot winners’ entries.
  • Handling bookings in catering establishments and verifying their ownership.
  • Managing home orders from catering establishments. Delivery of orders.

Grounded in a legitimate interest (art. 6.1.f RGPD)

Whenever necessary, GRUPO ORENES, S.L. will process your personal data to satisfy its own legitimate interests or those of third parties in the following cases:

  • Handling customer complaints.
  • Carrying out controls for detection of fraudulent activities.
  • Registering visits to Orenes Group headquarters.
  • Processing of relevant customer information and communications regarding invitations to special events.
  • Study and analysis of the identification process and/or activity of customers who comply with fraud patterns or signs of fraud.

Consent (art. 6.1.a GDPR)

Provided that you have given us your consent, additional processing operations may be carried out if you have been notified and if you have given your permission. You may revoke your consent at any time. This also applies if your consent was granted before the entry into force of the EU General Data Protection Regulation, i.e. before 25 May 2018. It should be noted that objections to a particular processing operation and revocation of consent are not retroactive. You can at any time retrieve information on the authorisations you have consented to for different processings by exerting your rights in accordance with section 8.

GRUPO ORENES, S.L. will request your authorisation to process your data for the following purposes:

  • Handling of the contact data obtained through forms on the corporate web sites.
  • Cash prize payment procedures.
  • Sending commercial, promotional and/or advertising communications, which may be based on the products contracted or services provided.
  • Automatic categorisation of your user according to your gaming profile in order to receive communications suited to your preferences and needs. Personal data may be processed for profiling based on internal sources (e.g. cookie browsing data, historical and statistical data) and the results of which enable the creation and analysis of personalised products, through segmentation into different groups on the basis of common patterns. Such profiling will only be used to send you personalised communications about products and/or services.
  • Provide my contact details to Grupo Orenes companies (+info), so that they can send me commercial communications about their products and services.
  • Handling of photographs of participants in poker tournaments, themed dinners, other organisational events and/or testimonials.
  • Checking customers’ identity through a facial recognition system with the aim of enabling registration and access control to the premises.
  • Capturing images of casino roulette customers for online playback.
  • Customer service management to solve requests from customers or potential customers.
  • Wifi service maintenance in our establishments for customers and visitors.
  • Registration process of participants in prize draws.
  • Satisfaction survey surveys sent to our customers about our services.
By law or in the public interest (art. 6.1.c and 6.1.e RGPD).

As a company in the gaming and betting industry, GRUPO ORENES, S.L. is subject to a number of legal obligations (e.g. Gambling Regulation Act, Prevention of Money Laundering and Terrorist Financing Act, Tax Act), and to several supervisory regulations.

We therefore process data on this legal basis in the following cases:

  • Managing the portfolio of players who use our services, including prize payments and access registration to facilities.
  • Processing players’ information registered on online sports betting and online casino platforms, including prize payments and access registration.
  • Handling of banned players’ registration in order to prevent them from accessing Orenes Group facilities or services.
  • Registration of winners and handling of prizes exceeding 2,000 euros.
  • Compliance with legal duties that apply to Orenes Group in terms of Prevention of Money Laundering.
  • External audits or reviews to which Orenes Group is subject, either by applicable regulation, or carried out voluntarily to verify our internal control framework.
  • Image recording at Orenes Group facilities for security reasons, as well as to gather evidence in cases of theft and/or fraud.
  • Filling in the access reports to catering establishments and notifying, where appropriate, the State Security Forces and Corps.
  • Processing administrative or court proceedings involving customers and Grupo Orenes. This processing may also be based on the legitimate right of Grupo Orenes to effective legal protection, both in its right of defence and in the filing of legal claims that it deems appropriate, on the basis of civil or criminal prosecution regulations.
  • Handling complaints relating to acts or conduct, present or past, contrary to our Code of Ethics or applicable legislation submitted through the different channels made available by the organisation, as well as processing and investigating them.
  • Responding to the exercise of rights raised by interested parties in accordance with Data Protection Law.

3. WHAT RECIPIENTS WILL YOUR DATA BE COMMUNICATED TO?

For all the purposes described above, GRUPO ORENES, S.L. relies on the collaboration of third party service suppliers who may have access to personal data as a result of performing the contractual services. In any case, GRUPO ORENES, S.L. follows strict selection criteria for these third parties in order to comply with its data protection commitments and signs the applicable data protection agreement with them, in which these third parties undertake to comply with their data protection obligations, and specifically, to comply with the legal, technical and organisational measures, to process personal data for the purposes agreed, as well as to refrain from processing said personal data for other purposes or disclosure to third parties.

Your data may also be disclosed to Public Bodies, the Tax Agency, Judges and Courts and, in general, to the Competent Authorities when GRUPO ORENES, S.L. is legally bound to provide them.

Likewise, GRUPO ORENES, S.L. must notify the Commission for the Prevention of Money Laundering (SEPBLAC) of any evidence or suspicion of any transaction in the area of combating and preventing money laundering and terrorist financing as well as informing said Commission, communicating all necessary identification data of the users involved, so that the information compiled is made available to legal bodies in the event of investigations related to money laundering.

Data will only be transferred to countries outside the European Union (so-called third countries) if the European Commission has decided that the third country ensures an adequate level of protection, if it is required by law (e.g. tax reporting obligations), or if you have authorised us to do so, or in the context of data processing as a service provider.

Orenes hereby informs you that, in order to fulfil its purposes of advertisement by electronic means, uses a US-based provider called Salesforce, resulting in an international transfer of data relating to its customers. Said supplier has binding corporate rules for its services as responsible, guaranteeing that the transfer will be carried out under GDPR content agreement terms.

Furthermore, Orenes uses Zendesk, also located in the United States, to meet its customer service purposes. This provider ensures that transfers will be carried out under the terms of the content in accordance with GDPR by means of binding corporate rules for its services as a processor.

4. HOW LONG WILL WE KEEP YOUR DATA?

GRUPO ORENES, S.L. will comply with the provisions of current legislation regarding the duty to delete personal information that is no longer necessary for the purpose or purposes for which it was gathered, remaining at the exclusive disposal of Judges and Courts, the Public Prosecutor’s Office or relevant Public Administrations to address possible liabilities arising from the processing, and only during the terms of description of such liabilities. Once these periods have elapsed, this information will be permanently deleted by means of secure methods.

Access data is stored for 6 months from the last visit to the establishment. Online platform data is kept for 6 years from the last access. In the event that the data is covered by Royal Decree 304/2014 which approves the regulations of Law 10/2010 on the Prevention of Money Laundering, the retention period shall be extended in accordance with article 29.1, which stipulates that “Obliged entities shall keep documents and maintain adequate records of all business relationships and transactions, national and international, for a period of ten years from the termination of the business relationship or the execution of the occasional transaction. Records shall allow for the reconstruction of individual transactions so that they can, if necessary, have evidentiary effect”.

On the basis of Instruction 1/2006 of the Spanish Data Protection Agency, information on video-surveillance shall be cancelled within one month after images have been captured.

In hotel and catering establishments, they must keep the register-books for a period of three years, from the date of the last of the register sheets that comprise them, in accordance with Order INT/1922/2003, of 3 July, on register-books and entry reports of travellers in hotel and catering establishments and other similar establishments.

With regard to Wi-Fi service management in our establishments, connection data will be kept for as long as the user is connected to the Wi-Fi network and, subsequently, will be kept blocked for the periods of time arising from the prescription of legal actions related to this processing.

5. PERSONAL DATA RECORD

As responsible for the processing of your personal data, GRUPO ORENES, S.L. keeps a record of all its data processing activities. This inventory includes all the information regarding the type of data processed, such as data subjects, potential data recipients, processing purposes or duration for which the data will be kept, among other details.

Any personal data provided by the user is kept in a register monitored by GRUPO ORENES, S.L. and therefore remains responsible for its security at all times. Besides the above information, this register includes:

  • Department of data processing
  • Lawfulness of data processing
  • Category of data to be processed
  • Source of data being processed
  • Channel through which the processing data is gathered
  • Medium on which the processing data is stored
  • Description of the processing performed
  • A list of systems involved in the processing
  • Data processor

6. PRIVACY POLICY CHANGES

GRUPO ORENES, S.L. reserves the right to modify the Privacy Policy. Any update is applicable to users once published. GRUPO ORENES, S.L. undertakes to notify such changes by the means available and to expressly state the date on which each version of the Privacy Policy comes into force.

7. PROBATIVE VALUE

Users accept that if documents or data processed are obtained electronically, these shall have the same probative value as if said documents and data had been sent or communicated on paper. Therefore, users undertake not to contest their validity or their probative value on the grounds that they are in electronic format.

8. WHAT ARE YOUR RIGHTS WHEN YOU PROVIDE US WITH YOUR DATA?

In accordance with the provisions of the General Data Protection Regulation, as well as national data protection laws, you are entitled to exercise, if you so wish, the rights of access, rectification and erasure of data, as well as to request that we restrict the processing of your personal data, to object to such processing, to apply for data portability, and not to be subject to automated individual decisions. In particular, regardless of the purpose or the lawful basis on which we process your data, you have the right to:

Request access to the information we hold about you.

Request that we amend the data we already hold about you. Please note that by actively providing us with your personal data by any means, you warrant that it is true and accurate and you undertake to notify us of any changes or modifications.

Request that we delete your data to the extent that they are no longer necessary for the purpose for which we need to process them as previously notified to you, or to the extent that we no longer have the legitimacy to do so.

Request that we restrict the processing of your data, which means that in certain cases you may ask us to temporarily suspend data processing or to keep your data longer than necessary when you may need it.

Receive personal data concerning you which you have submitted to us in a structured, commonly used and machine-readable format and to transfer it to another data controller.

Moreover, where the processing of your data is based on our legitimate interest, you are also entitled to object to your data being processed.

Furthermore, in the event that personal data processing described above is based on the consent granted by you, you may revoke such consent at any time. In this regard, it should be noted that revoking the consent given will not affect the lawfulness of the processing carried out prior to the withdrawal of such consent.

You may exercise the rights described above through the following channels. If we consider it necessary in order to identify you, we may request a copy of a document proving your identity (copy of your ID card, passport, NIE, etc.):

  • In writing, by sending a request to GRUPO ORENES, S.L. Avenida Alejandro Valverde, 170, C.P. 30.007 (Murcia).
  • By e-mail to the following address dpo@orenesgrupo.com

GRUPO ORENES, S.L. undertakes to provide a copy of the personal data being processed and reserves the right to charge a reasonable fee based on administrative costs for any other copy requested by the interested party.

Users are entitled to access or receive information, or a copy thereof, in a commonly used structured electronic format, unless the data subject requests it in another format.

9. AM I OBLIGED TO PROVIDE INFORMATION?

As part of our business relations, you must provide us with personal data that requires your consent for the provision of a service, or is required for the fulfilment of the contractual obligations arising from it, or data collection of which we are obliged by law to perform.

If you do not provide us with such data, we will generally be obliged to refuse to provide the service, or we will no longer be able to provide the existing service and will be forced to terminate our business relationship.

In particular, in accordance with legal provisions on the prevention of money laundering, we are obliged to identify you, e.g. by means of your national identity card, and to collect and store your first and last name, place and date of birth, nationality and address prior to any business relationship. You must also inform us of any changes that occur during the course of the business relationship. If you do not provide us with the necessary information and documentation, we will not be able to establish or continue the business relationship you wish to enter into with us.

10. WHO CAN YOU MAKE A COMPLAINT TO?

In the event that you believe that your data protection rights have been breached or if you have any claim relating to your personal information, you may contact us through the channels provided in section 8.

In any case, interested parties can always refer to the Spanish Data Protection Agency, data protection supervisory authority, http://www.agpd.es, C/ Jorge Juan number 6, 28001, Madrid.