Entry requirements

ADDITIONAL INFORMATION ABOUT DATA PROTECTION

DATA CONTROLLER

Contact Details for the Daata Controller 1, 2, 3, 4 y 5 CASINO NUEVA ANDALUCIA MARBELLA S.A.U.
Edificio Hotel H10 Andalucia Plaza Km 174 29600 Puerto Banus (Málaga)
952814000
protecciondedatos@cirsa.com

Contact Details for the Joint Data Controller of Process 4 CIRSA SERVICIOS CORPORATIVOS, S.L.
Ctra. De Castellar 298, 08226 Terrassa (Barcelona)
Teléfono de contacto: 937396700
protecciondedatos@cirsa.com

Normas de Acceso

ADDITIONAL INFORMATION ABOUT DATA PROTECTION

DATA CONTROLLER

Contact Details for the Daata Controller 1, 2, 3, 4 y 5 CASINO NUEVA ANDALUCIA MARBELLA S.A.U.
Edificio Hotel H10 Andalucia Plaza Km 174 29600 Puerto Banus (Málaga)
952814000
protecciondedatos@cirsa.com

Contact Details for the Joint Data Controller of Process 4 CIRSA SERVICIOS CORPORATIVOS, S.L.
Ctra. De Castellar 298, 08226 Terrassa (Barcelona)
Teléfono de contacto: 937396700
protecciondedatos@cirsa.com

PROCESSING OF PRIVATE DATA
Data processing and purposes Legitimacy What RGPD rights do you have? How can you exercise your rights? Period for maintaining the data

1. Control of admission and access to the Casino in order to:

• Control admission, stay, premises and access to the Casino, in accordance with applicable legislation. Compliance with a legal obligation applicable to the Data Controller:

• Decree 229/1988 of 31 May 1988 approving the Regulations on Gaming Casinos in Andalusia
• Articles 29 and in particular 32 establish the obligation to control entry to the casino. • You have the right to receive confirmation that we are processing your data.

• The right to access your data, rectify them if they are inaccurate or delete them, particularly if they no longer need to be processed.

• In certain cases you may request the limitation of processing, in which case we will use them only for the exercise or defence of claims.

• In certain cases, you may object to us processing your data and we will stop processing it unless there are compelling legitimate reasons or the exercise or defence of possible claims.

• Right to revoke consent.

• Right to data portability, if applicable. You have the right to copy and transfer data from our database to another data controller. This right can only be exercised when the processing is based on the execution of a contract or on your consent and the processing is carried out by automated means.

For more information about these rights, please contact
protecciondedatos@cirsa.com
To exercise these rights you must present a document in admission at the Casino, or to the postal address indicated above. You may also contact us at the e-mail address protecciondedatos@cirsa.com

This written document must specify which right you are seeking to exercise and accompany it with a photocopy of your identification document. If you require a form for this purpose you may:

• Use the oficial form of the Spanish Data Protection Agency: https://www.aepd.es/reglamento/derechos/index.html; or
• Request a form from us at: protecciondedatos@cirsa.com

We hereby also inform you that when you have been unsuccessful in exercising your rights or your way of exercising them, you may submit a complaint to the Supervisory Authority. If you want more information about this right and how to exercise it, you can contact AEPD:
http://www.aepd.es/
Tel. 901 100 099 y 91.266.35.17. C/Jorge Juan 6, 28001-Madrid.

The personal data provided will be kept for the legally required period of time in accordance with the applicable regulations in force. Once the maximum retention period has been reached, your data will be deleted.

2. Video monitoring processing for the purpose of:

• Maintain and guarantee patrimonial and personal security at the accesses to the Casino and in the whole establishment. The fulfilment of a legal obligation applicable to the Data Controller.

All establishments whose security system is classified as grade 3 (including casinos, bingo halls and gaming machine rooms) are obliged to comply with those established in RD 2364/1994 in Articles 111 and subsequent articles and in Order INT 317/2011, which sets out both the physical and electronic protection measures of each establishment. In addition, they must have a CCTV system with access from the Alarm Reception Centre. Your access data will be kept for a period of 6 months, as established by Instruction 2/1996, of 1 March, on automated files established for the purpose of controlling access to casinos and bingo halls. Once the maximum period of conservation has been reached, your data will be deleted.

3. Control and prevention of fraud and money laundering and financing of terrorism for the purposes of:

• Investigate the origin of funds in case of suspected fraudulent payment, including the use of stolen credit cards or any other fraudulent activity
• Performing credit checks, based on the information provided by the User upon registration.
• Verify the user’s identity.
• Checking the means of payment.
• Maintain the security of the Casino.
• Make mandatory communications to the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offences. The legal basis for the processing of your data is the fulfilment of a legal obligation imposed by:

• Law 10/2010 of 28 April on the prevention of money laundering and the financing of terrorism In accordance with Article 32 of Law 10/2010 of 28 April on the prevention of money laundering and the financing of terrorism, the rights of access, rectification, suppression and opposition shall not apply. We will keep your personal data for the duration of the contractual relationship and in any case for a period of 10 years in accordance with Law 10/2010 of 28 April, on money laundering and the financing of terrorism. Once the maximum retention period has been reached, your data will be deleted.

4. Analysis of the data for business management and statistical purposes:
• Perform business level analysis and statistics on the frequency of your visits, gaming history data, preferences, consumption and behaviour.
• To obtain economic values and profitability, quality and improvement of services.
• Improve our services and customer care to enhance your experience in our Casino, always respecting your fundamental rights and privacy. Legitimate interest. In accordance with Recitals 47 and 70 and Articles 21 and concordant of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“RGPD”)
You have the right to receive confirmation that we are processing your data.
• The right to access your data, rectify them if they are inaccurate or delete them, particularly if they no longer need to be processed.
• In certain cases you may request the limitation of processing, in which case we will use them only for the exercise or defence of claims.
• In certain cases you may object to us processing your data and we will stop processing it unless there are compelling legitimate reasons or the exercise or defence of possible claims.

• Right to revoke consent.

• Right to data portability, if applicable. You have the right to copy and transfer data from our database to another data controller. This right can only be exercised when the processing is based on the execution of a contract or on your consent and the processing is carried out by automated means.
For more information about these rights, please contact:
protecciondedatos@cirsa.com
If you do not agree and do not want your data to be used for the purposes described, you may oppose the processing at any time by contacting the Casino reception desk and/or the following e-mail address: protecciondedatos@cirsa.com

To exercise the rest of your rights, you must present a written statement at the Casino’s admission, or at the address above. You can also contact us by e-mail protecciondedatos@cirsa.com

In this letter or communication you must specify which of these rights you are requesting to be satisfied and, at the same time, you must attach a photocopy of your ID card or equivalent document.
If you want to have a model for this you can:
• Use an official model of the Spanish Data Protection Agency: https://www.aepd.es/reglamento/derechos/index.html
• Request a model from us at the casino admission or through the mail address protecciondedatos@cirsa.com

We also inform you that when you have not obtained satisfaction in the exercise of your rights or the manner in which you have exercised them, you may file a complaint with the Supervisory Authority. If you wish to know more about this right and how to exercise it, please contact the AGPD:
http://www.aepd.es/
Tel. 901 100 099 y 91.266.35.17. C/Jorge Juan 6, 28001-Madrid. Your data will be processed for the duration of the customer relationship, unless you exercise your right to oppose or delete it.

Subsequently, the personal data provided will be kept for the legally stipulated period. Once the maximum retention period has been reached, your data will be deleted.

5. Maintenance of deletion lists for the purpose of:

• Maintain an updated list of all those clients who have requested the deletion of their data or at any time have opposed any of the data processing we carry out. Legal obligation. Article 24 of the RGPD obliges the Data Controller to maintain evidence of compliance with the provisions of the RGPD. The RGPD rights are limited because this treatment is based on a legal obligation. The personal data will be kept for the period of time legally provided for the lodging of any claim in relation to the effective or deficient response by us to the right of suppression or opposition that you have exercised.
Once the maximum data retention period has been reached, your data will be deleted.

RECIPIENTS

Data communication recipients Purpose Legitimacy Base
By legal requirement When legally required by the Administration, State Security Forces and Corps, Inspection Bodies, judicial authorities, Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offences. Compliance with a legal obligation applicable to the Data Controller.
CIRSA Group Our Casino is part of the CIRSA business group. The activity of the Casino is carried out under the control and supervision policies of the CIRSA Group by the central corporate services through the company CIRSA SERVICIOS CORPORATIVOS, S.L.U., based in Ctra. De Castellar 298, 08226 Terrassa (Barcelona). That is why your data may be communicated and processed for internal administrative and business management purposes.

Likewise, if you have not previously objected to the processing, your data may also be processed to carry out statistical and information analysis, aimed at obtaining economic and profitability values, quality and improvement of the services of the CIRSA Group. According to Recital 48 of the RGPD: “Managers who are part of a corporate group or of entities affiliated to a central body may have a legitimate interest in transmitting personal data within the corporate group for internal administrative purposes, including the processing of personal data of customers or employees”.
International data movement Does not apply
International data transfer Does not apply

Data Controllers The Casino works with third parties necessary for the correct provision of our services, which may have access to them during the exercise of their activity. With said third parties, the obligations and responsibilities they assume in the processing of the data are formalised, in their capacity as Data Processors.

The Casino has the corresponding processing contracts signed by both parties, which include due guarantees regarding the processing of personal data, confidentiality and the deletion, destruction or return of information.
In accordance with the above, we inform you that the Casino has signed a contract with CIRSA SERVICIOS CORPORATIVOS, S.L.U. for the processing of personal data in order to provide various corporate services related to the maintenance and management of the information systems, among others. Existence of a processor’s contract

SOURCE OF THE DATA

Origin of the data Category of the data
The personal data come from the interested party. The personal data collected are identification and contact data, such as name and surname, ID card/passport/resident card/driver’s license, mobile phone number, image, email address and signature.
Also, data relating to the frequency and dates of visits to the casino, data on gambling history, volume of spending and betting, data on preferences and interests.
The data from the register of prohibited parties are accessed by the Casino through the channel provided by the Autonomous Community for the purposes described in processing 1. Identifying data associated with the ban

DETAILS OF THE DATA PROTECTION DELEGATE DATA

Contact the Data Protection Delegate at:
• E-mail: protecciondedatos@cirsa.com
• Telephone: 93 739 67 00
• Postal Address: Carretera de Castellar 298, 08226 Terrassa (Barcelona).