Privacy Policy

CASINO NUEVA ANDALUCIA MARBELLA, S.A. (hereinafter, “Casino Marbella” or “the Casino”) wishes to inform users of the website https://casinomarbella.com/ (hereinafter, the “Website”) and Casino clients of the following information regarding data protection (hereinafter, the “Privacy Policy”).

1. WHO IS THE DATA CONTROLLER AND HOW CAN YOU CONTACT US?
The Data Controller is CASINO NUEVA ANDALUCIA MARBELLA, S.A., incorporated in accordance with Spanish law, holding Tax Identification Number A29043064, with registered office at Edificio Hard Rock Hotel Marbella, Ctra. A-7 Km. 1.051, 29660, Marbella, Málaga, Spain.
Data subjects are hereby informed that, for commercial communications described in processing activity number 3 of this policy, all companies described in Annex 1 shall act as joint data controllers of their personal data.
Should Clients have any questions regarding the processing of their personal data, they may contact our Data Protection Officer at the following email address: protecciondedatos@cirsa.com.

2. WHAT IS PERSONAL DATA AND WHAT IS DATA PROCESSING?
Personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is one whose identity can be determined, directly or indirectly, in particular by reference to an identifier, such as a name, identification number, location data, online identifier, or one or more elements specific to the physical, physiological, economic, cultural, or social identity of that person.
Processing of personal data refers to any operation or set of operations performed on personal data, such as collection, recording, storage, use, and communication.

3. THROUGH WHICH CHANNELS DO WE COLLECT PERSONAL DATA?
We collect Clients’ personal data through the following channels:
• Through the Casino access process:
o By providing a personal identification document issued by a governmental authority.
o By completing the admission and access form.
o Through video surveillance systems installed at our premises.
o Through the channel provided by the relevant Autonomous Community regarding registration data of banned individuals.
• Through the process of contracting our products and/or services;
• Through the registration form to create a Casino Marbella account;
• Through the subscription form for our newsletter;
• Through video surveillance systems;
• Through requests for information and, where applicable, booking and subsequent contracting of tables or Casino spaces via the relevant form;
• Through participation forms for promotional actions such as contests and prize draws;
• By submitting a job application via the designated form or email address;
• Through the User Support contact form;
• Through the contact form and other customer service channels (email, SMS, and WhatsApp);
• Through interaction with, use of, and navigation of the Website. Browsing and usage data is collected through data storage and retrieval systems such as cookies. Clients may find more information in our Cookie Policy [GS1.1].

4. WHAT PERSONAL DATA DO WE PROCESS AND WHAT PROCESSING ACTIVITIES DO WE CARRY OUT?
To comply with legally required information obligations, we provide individualized details for each processing activity in the tables below, specifying purposes, data processed, legal basis, and objectives.

1. Admission and Access Control
PURPOSES:
• Compliance with regulations governing access to casinos.
• Monitoring admission, stay, premises, and access in accordance with applicable Autonomous Community legislation.
• Preventing access by minors, individuals included in the register of persons banned from gambling establishments, or others prohibited under applicable legislation.
PERSONAL DATA PROCESSED:
• Identification data: full name, complete address, identification document number, customer file number, issue date, and validity period.
• Identification data associated with gambling bans.
• Contact details: email address and/or mobile phone number.
• Other identification data: signature and biometric signature data.
LEGAL BASIS:
• Compliance with a legal obligation applicable to the Data Controller.

2. Management and Execution of the Contractual Relationship with Clients
PURPOSES:
• Proper processing of contracting and payment of products and/or services.
• Management of incidents and returns.
• Provision of customer service through available channels.
• Sending communications related to contracted products and/or services.
• Compliance with legal obligations.
• Fraud detection and prevention.
• Legal defense of Casino interests and rights.
• Handling information requests, complaints, and claims.
PERSONAL DATA PROCESSED:
• Identification data: full name.
• Contact details: email address and phone number.
• Social data: full address and date of birth.
• Contract-related data: purchase history, claims, and refunds.
• Financial data: payment method details.
• Any other information provided through purchase forms or contact channels.
LEGAL BASIS:
• Performance of a contract (Terms and Conditions).
• Compliance with legal obligations.

3. Video Surveillance
PURPOSES:
• Ensuring personal and property security throughout the premises.
PERSONAL DATA PROCESSED:
• Identification data: image.
LEGAL BASIS:
• Protection of vital interests.
• Mission carried out in the public interest.
• Compliance with legal obligations, including Royal Decree 2364/1994 and Order INT 317/2011.

4. Client Account Registration and Management
PURPOSES:
• Registration and deregistration of client accounts.
• Account and profile management.
• Enabling use of account functionalities.
• Password recovery and account support.
• Fraud prevention.
• Compliance with legal obligations.
PERSONAL DATA PROCESSED:
• Identification data: full name.
• Contact details: email address and phone number.
• Social data: full address and date of birth.
LEGAL BASIS:
• Client consent.

5. Reservation and Private Event Management
PURPOSES:
• Proper provision of reservation services.
• Incident and inquiry management.
• Legal compliance.
PERSONAL DATA PROCESSED:
• Identification data: full name.
• Contact details: email and phone number.
• Reservation/event details: date, time, number of attendees, estimated budget.
• Financial data (only if contracting occurs).
• Any additional information provided.
LEGAL BASIS:
• Pre-contractual measures and contract execution.
• Legitimate interest.

6. Management of Promotional Activities
PURPOSES:
• Managing participation in promotions and prize delivery.
• Managing incidents and claims.
• Fraud prevention.
• Compliance with legal obligations.
PERSONAL DATA PROCESSED:
• Identification data: full name.
• Contact details: email and phone.
• Promotional participation data.
• Additional information provided by participants.
LEGAL BASIS:
• Execution of contractual terms (promotion rules).
• Compliance with legal obligations.

7. Job Application Management
PURPOSES:
• Evaluation and possible hiring of candidates.
• Management of employment relationship if hired.
PERSONAL DATA PROCESSED:
• Identification data: full name.
• Contact details: email and phone number.
• Professional data: résumé/CV.
• Additional candidate information.
LEGAL BASIS:
• Pre-contractual measures and employment contract execution.

8. Gambling Analysis for Fraud, Money Laundering, and Terrorism Financing Prevention
PURPOSES:
• Identity and payment method verification.
• Fraud detection and investigation.
• Casino security.
• Mandatory reporting to regulatory authorities.
PERSONAL DATA PROCESSED:
• Identification documents.
• Gambling ban-related data.
• Visit frequency and dates.
• Gambling transaction data.
• Payment method data.
• Risk and compliance analysis (using public and private sources).
LEGAL BASIS:
• Compliance with Law 10/2010, Royal Decree 304/2014, and Law 11/2021.

9. Customer Service
PURPOSES:
• Handling information requests and inquiries.
• Managing complaints and claims.
PERSONAL DATA PROCESSED:
• Identification data: name.
• Contact details: email and phone number.
• Additional information provided.
LEGAL BASIS:
• Contract execution or pre-contractual measures.
• Legal obligations.

5. HOW LONG WILL WE KEEP PERSONAL DATA?
• Personal data will be processed as long as necessary for the stated purposes.
• Afterward, data will be blocked and retained for legally required periods.
• Upon expiration, data will be anonymized or deleted.

6. WHAT DATA PROTECTION RIGHTS CAN CLIENTS EXERCISE?
Clients may exercise rights of access, rectification, objection, erasure, data portability, and restriction of processing by contacting protecciondedatos@cirsa.com.
If dissatisfied, Clients may lodge a complaint with the Spanish Data Protection Agency (AEPD) at http://www.aepd.es.

7. TO WHOM DO WE DISCLOSE DATA?
Personal data may be disclosed to payment platforms, banks, legal authorities, regulators, and security bodies where legally required or justified.

8. WHO MAY ACCESS CLIENTS’ PERSONAL DATA?
Authorized service providers acting as Data Processors under confidentiality and security agreements.

9. ARE THE DATA SECURE?
We implement technical and organizational measures to ensure data security. Data are stored on secure servers and are not transferred outside the European Economic Area.

10. CHANGES TO THIS PRIVACY POLICY
This Privacy Policy may be updated to reflect legal or regulatory changes.

Latest version: April 17, 2026.