GENERAL POLICY REFERRING TO THE PROCESSING OF PERSONAL DATA - GAME WORLD ROMANIA SRL
1. GDPR presentation and definitions
1.1 Game World Romania SRL, as a personal data operator, attaches great importance to the processing of personal data, provided at the initiative of customers, suppliers, business partners and employees, collected as a result of a legal obligation of to the operator, wishing to ensure compliance with the legal principles provided by the general regulation on the protection of personal data (Regulation 2016/679 or GDPR), regarding the processing operations undertaken within the activity carried out in the gambling market. The processing operations concern the processing carried out either in the gambling halls belonging to it or at the company headquarters.
1.2 The GDPR represents the regulatory framework that replaces Directive 95/46 / EC on data protection, and by virtue of its direct effect, it also replaces the legislation of each Member State that has been developed in accordance with the above-mentioned Directive. The purpose of the GDPR is to protect the rights and freedoms of natural persons (natural persons who are alive) and to ensure that personal data are not processed without their knowledge and, whenever necessary, that they are processed with the consent informed and specific of them.
1.3 Definitions used by Game World Romania (taken from GDPR)
Material scope (Article 2) - GDPR applies to the processing of personal data, carried out in whole or in part by automated means (computer, laptop), as well as the processing by means other than automated personal data (paper records). ) which are part of a data record system or which are intended to be part of a data record system.
Territorial scope (Article 3) - The GDPR will apply to all operators based in the EU (European Union) who process the personal data of the data subjects, regardless of whether the processing takes place in the EU. It will also apply to operators outside the EU that process personal data to provide goods and services or to monitor the behavior of data subjects residing in the EU *.
Headquarters - the head office of the operator in the EU will be the place where the operator makes the main decisions regarding the purpose and the means of his data processing activities. The head office of an operator in the EU will be the place where the central administration is located. If an operator has its headquarters outside the EU, it will have to appoint a representative in the jurisdiction in which the operator operates to act on behalf of the operator and deal with the supervisory authorities.
Personal data - represents any information about an identified or identifiable natural person (data subject); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identification element, such as a name, identification number, location data, an online identifier, or to one or more many specific elements, specific to its physical, physiological, genetic, psychological, economic, cultural or social identity.
Special categories of personal data - personal data that reveals racial or ethnic origin, political opinions, religious confession or philosophical beliefs or membership of unions and processing of genetic data, biometric data for the unique identification of a natural person, data on health or data on the sexual life or sexual orientation of a natural person.
Operator - the natural or legal person, the public authority, the agency or other body which, alone or together with others, establishes the purposes and the means of processing personal data; when the purposes and means of processing are established by Union law or national law, the operator or the specific designation criteria may be laid down in Union law or national law.
Authorized person - means the natural or legal person, the public authority or the agency that processes the personal data on behalf of the operator.
Processing - any operation or set of operations performed on personal data or on personal data sets, with or without the use of automated means, such as collecting, recording, organizing, structuring, storing, adapting or modifying, extracting, consultation, use, disclosure by transmission, dissemination or making available in any other way, alignment or combination, restriction, deletion or destruction.
Profiling - any form of automatic processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyze or predict performance in the workplace, economic situation, location, health, personal preferences, reliability or behavior to that person.
Infringement of the security of personal data - a breach of security that leads, accidentally or illegally, to the destruction, loss, modification, or unauthorized disclosure of personal data transmitted, stored or otherwise processed, or to unauthorized access at these. The operator has the obligation to report to the supervisory authorities the breaches of the security of personal data and the cases in which the breach could adversely affect the personal data or the privacy of the data subject.
Consent of the data subject - means any manifestation of free, specific, informed and unambiguous will of the data subject by which he / she accepts, by a declaration or an unequivocal action, that the personal data be processed.
* As regards the territorial application of the GDPR provisions, the definition is supplemented by the provisions of Guidelines no. 3/2018 of the G29 Working Group on the territorial application of the GDPR.
2. Confidentiality statement
2.1 GAME WORLD ROMANIA SRL, with its registered office in Bucharest, 29A Tudor Vladimirescu Boulevard, Floor 5, Office 2, AFI Tech Park 1, Sector 5, having the registration number at the Trade Register J40 / 1866/2007, CUI RO 20899859, undertakes to comply with the relevant laws of the EU and of the Member States regarding the data with personal character and protection of the rights and freedoms of persons whose information is collected and processed in accordance with the GDPR.
2.2 Compliance with the GDPR is described by this policy and by the relevant procedures, such as the procedure for the requests of the data subjects, the procedure for breach of data security, together with the related processes and procedures.
2.3 The GDPR together with this policy applies to all operations of processing of personal data carried out by Game World Romania, including those carried out on the personal data of customers, employees and partners and any other personal data that the company processes. from other sources.
2.4 The DPO is responsible for reviewing the Record of Processing Record in light of any changes made to the processing operations performed by Game World Romania (the review may be determined by changes in the categories of data processed or the purposes for which the data are processed as a result of initiator reviews) as well as any additional requirements identified through impact assessments on data protection. This register is available at the request of the Supervisory Authority.
2.5 This policy applies to all Game World Romania employees, as well as to its suppliers who process personal data as Game World proxies. Any breach of the GDPR or the policy will be dealt with in accordance with internal rules of the Game World, and under the terms of the GDPR, Game World will notify ANSPDCP of GDPR and policy violations. In the event that the act was illegal, it will be brought to the notice of the competent authorities as soon as possible.
2.6 The partners who work with or for Game World Romania, and who have internal information about the company, must have read, understood and respected this policy. Game World Romania will communicate this policy to any such partner. No third party may process the personal data held by Game World Romania, on behalf of the company, without having entered into a contract by which the parties regulate the obligations regarding the confidentiality of the data. Game World will impose on the third party obligations at least as onerous as those to which Game World Romania undertakes. In this case, the provisions of art. 28 of the GDPR regarding the mandatory provisions that must be included in order to regulate the relationship of operator - authorized person.
3. Responsibilities and roles under the GDPR
3.1 Game World Romania is a personal data operator under the GDPR.
3.2 The members of the management bodies of Game World Romania are responsible for developing and encouraging good practices for the management and processing of personal data within the company.
3.3 The members of the Game World management bodies are responsible for re-evaluating the analysis regarding the fulfillment of the conditions provided by art. 35 of the GDPR if Game World intends to initiate special data processing or which may involve a high risk regarding the rights and freedoms of individuals. Also, a new analysis will be made if additional obligations regarding the protection of personal data with those provided for in the GDPR will be introduced in national law.
3.4 The DPO, a role provided by the GDPR, is responsible to the members of Game World Romania's management for managing personal data within Game World Romania and for ensuring compliance with the law and good data protection practices. This responsibility includes:
• elaboration and implementation of the GDPR, according to the requirements of this policy;
• security and risk management regarding policy compliance.
3.5 The DPO, which the management of the company considers to have the appropriate qualification and experience, was appointed to assume the responsibility for Game World Romania's compliance with this policy in particular and has the direct responsibility to ensure that both Directors of department, in the case of the processes that take place in their area of responsibility (being initiators of the processing), as well as the company complies with the GDPR policy.
3.6 The DPO has specific responsibilities such as the Procedure which refers to the access requests of the data subjects and is the first point of call for the employees who request clarification on any aspect regarding the protection of personal data.
3.7 Compliance with the data protection legislation represents the responsibility of both Game World and all employees of the company in the exercise of the duties to which they process personal data.
3.8 Game World Romania employees are responsible for ensuring that any personal data about them and provided by them to the company is accurate and up to date.
4. Principles that refer to the processing of personal data
Any processing of personal data is carried out in accordance with the principles of data protection as provided for in Article 5 of the GDPR. Game World Romania policies and procedures are designed to ensure compliance with the principles set out in the GDPR.
4.1 Personal data are processed legally, correctly and transparently
Legality - involves the identification of a legal basis before starting a personal data processing operation. This identification is often referred to as "identifying the basis of processing". The grounds provided by Article 6 of the GDPR and used by Game World are the following: the legal obligation of the operator, the contract concluded between the operator and the data subject, the consent of the data subject, the legitimate interest of Game World Romania.
Fairness - involves the obligation to inform about data processing before processing begins or as soon as possible after processing begins. The information is obligatory regardless of whether the personal data were obtained directly from the data subjects or from other sources.
Transparency - Articles 12, 13 and 14 of the GDPR establish the rules for informing the data subjects. The provisions are detailed and specific, emphasizing that privacy notices must be easy to understand and accessible. The information is communicated to the data subject in an intelligible form, using clear and simple language.
The specific information to be provided to the data subject will include at least:
• identity and contact details about Game World Romania;
• DPO contact details;
• the purpose of the processing of personal data, as well as the legal basis of the processing;
• the period of storage of personal data;
• the existence of the rights to request access, rectification, deletion or opposition to the processing as well as the conditions for exercising these rights, such as affecting the legality of the previous processing;
• the categories of personal data that are the object of the processing;
• the recipients or the categories of recipients of the personal data;
• if applicable, the fact that Game World Romania intends to transfer personal data to a third country recipient and the level of protection granted to the data;
• any additional information needed to guarantee a correct processing.
4.2 Personal data are collected for specific, explicit and legitimate purposes only
The data obtained for specific purposes will not be used for a purpose that differs from the original one, as mentioned in the Record of Processing held by Game World Romania.
4.3 Personal data are adequate, relevant and limited to what is required for processing
• The DPO is responsible for ensuring that Game World Romania does not collect information that is not strictly necessary to achieve the purpose for which they were obtained.
• The DPO will ensure, within the internal annual audit, that the data collected continue to be adequate, relevant and proportionate to the purpose pursued.
4.4 The personal data are accurate and, when necessary, updated, without delay.
• The data stored by the data operator are reviewed and updated. The data are kept only if it can reasonably be assumed that they are accurate.
• The DPO is responsible for ensuring that all personnel are trained on the importance of collecting correct data and maintaining their correctness.
• Also, the processing of correct and updated data is also the responsibility of the data subject. The completion of a registration form or an application by a data subject will include a statement that the data contained are correct at the time of submission.
• Employees, representatives of partners and customers must notify Game World Romania of any changes in personal data to allow the registration containing personal data to be updated accordingly. It is the responsibility of Game World Romania to ensure that any notification • regarding the change of situation is recorded and taken into account.
• The DPO has the responsibility to ensure that there are adequate procedures and policies in place to keep personal data correct and up-to-date, taking into account the volume of data collected, the speed with which it could change and any other relevant factors.
• At least annually, the DPO checks the deletion deadlines for all personal data processing performed by Game World Romania, recorded in the Data Processing Register and identifies any data processing and / or categories of data that are no longer needed.This data is securely deleted / destroyed.
• The DPO has the responsibility to respond to the requests for rectification from the data subjects within 30 days (Procedure regarding the access requests of the data subjects). The term can be extended up to two months for complex applications. In the event that Game World Romania decides not to comply with the request or to extend the response period, the DPO will inform the data subject about the reasons underlying this decision, as well as the right of the data subject to file a complaint to the Supervisory Authority.
• If the DPO finds that third parties have transmitted inaccurate or outdated personal data to Game World Romania, it will take all necessary steps to inform the third parties about this aspect and to transmit any correction of personal data to third parties, if this is necessary.
4.5 Personal data are kept in a form that allows the data subject to be identified only for as long as is necessary for processing.
• If personal data is stored beyond the date of processing, they will be pseudonymized to protect the data subject's identity in the event of a data security breach.
• The personal data will be kept throughout the processing by each Department initiating the processing, and the Department Directors will be responsible for deleting / destroying the personal data in case of exceeding the retention period.
• The DPO gives its opinion on any data retention that goes beyond the retention periods and ensures that the justification is clearly identified and complies with the requirements of the data protection legislation. This opinion must be in written form and is of a recommendation.
4.6 The personal data are processed in a way that ensures the proper security
The DPO will carry out a risk assessment taking into account all the circumstances of the processing operations performed by Game World Romania in its activity.
In order to determine the suitability, the DPO also considers the extent of any damages or losses that could be caused to individuals (for example, personnel or customers) if a security breach occurs, the effect of any security breach on Game World Romania as a personal data operator as well as a gambling operator, as well as any other possible reputational damage, including possible loss of customer trust.
In evaluating the appropriate technical measures, the DPO will consider the following:
• Password protection with a minimum degree of complexity of  alphanumeric characters;
• Automatic locking of inert terminals after [1/3/5] minutes;
• Removing or monitoring access rights for USB and other media;
• Antivirus and firewall software;
• Access rights based on service attributions, including those assigned to temporary staff;
• Encryption of devices leaving the organization's premises, such as laptops;
• Network security at LAN (Local Area Network) and WAN (Wide Area Network);
• Technologies to improve confidentiality, such as pseudonymisation and anonymization;
• Restricting access to the rooms where computers or other access terminals are installed;
In evaluating the appropriate organizational measures, the DPO will consider the following:
• User identification and authentication (use of a single user account, password, access card or digital certificate when accessing personal data);
• Adequate training levels for all employees;
• Inclusion of the obligations regarding the protection of personal data in the job descriptions and the Internal Order Regulations;
• Identification of disciplinary sanction measures for data security breach;
• Monitoring of personnel regarding the established security obligations;
• Controls regarding physical access to electronic and paper records (for example, access rights in applications);
• Storage of paper data in cabinets that have locking systems;
• Restricting the use of portable electronic devices outside the workplace or defining clear rules regarding their use;
• Restricting the use of the employee's personal devices in the workplace;
• Adopting clear rules regarding passwords.
4.7 The operator can demonstrate compliance with the other GDPR principles (responsibility)
In accordance with Article 5 (2), Game World Romania respects the principles of data protection by implementing data protection policies, implementing technical and organizational measures, and adopting techniques such as data protection by design (privacy by design), conducting the impact analysis (DPIA), as well as drawing up and implementing a procedure for notifying violations and incident response plans.
5. Rights of the data subjects
5.1 The data subjects have the following rights regarding data processing:
• Right of access - through which Game World Romania can obtain confirmation that personal data are processed or not;
• The right to rectification - this implies the possibility to request Game World Romania to rectify the inaccurate data concerning them;
• The right to be forgotten - through which the operator can obtain the deletion of his data, under certain conditions provided in the Regulation;
• The right to restrict processing - appears in the situation of inaccurate, illegal processing or the right of opposition exercised by the data subject;
• The right to data portability - the right to receive the personal data concerning and provided by Game World Romania in a structured format, currently used and which can be read automatically and which also includes the right to transmit this data to another operator. This right has effect only in the case of processing based on consent or contract;
• The right to opposition - it also includes the right to oppose the creation of profiles;
• The right to information - involves concise, transparent and easily accessible information of the data subjects regarding the processed data;
• To address the Supervisory Authority in case of a violation of the GDPR.
5.2 Game World Romania ensures that the data subjects can exercise these rights:
• The data subjects can make requests for access to data, as described in the Procedure regarding the applications of the data subjects, addressed to DPO, at firstname.lastname@example.org.
• Data subjects have the right to lodge complaints with Game World Romania regarding the processing of their personal data.
5.3 Game World Romania guarantees that it will respect the rights of the data subjects, insofar as these rights have an impact in the processing carried out on their data. In this respect, if for the exercise of a right to a processing the conditions stipulated by the GDPR or the exercise of the right are not met, a legal obligation established for the task of Game World Romania is opposed, the processing will be analyzed and the reasoned decision will be communicated to the data subject.
6. Employee data processing
6.1 Game World Romania processes the personal data of the employees, based on: the employment contract, the legal obligation of the employer, the legitimate interest of the operator or the employee's consent *.
6.2 The goals that Game World Romania aims to achieve by processing the personal data belonging to the candidates at the vacancies within the company or the employees, are detailed in the Information Note on the processing of personal data in the context of employment relationships. Thus, as an example, the goals can be:
• Carrying out the recruitment process or promotion to another position in the company;
• Preparation and updating of the information that compose the personnel file, including the modifications regarding the employment contract;
• The professional evaluation of the employees and the conduct of the disciplinary research;
• Managing the time spent at the workplace in order to establish the salary rights and the payment of these rights;
• Fulfilling the legal obligations regarding health and safety at work;
• Establishing wage rights as a result of temporary incapacity for work, maternity leave, parental leave or childcare and for the efficient allocation of labor in these situations in order to ensure the continuity of the operator's activity;
• Exercise of rights / actions in court;
* Game World Romania takes the necessary measures to ensure that the processing based on the employee's consent complies with the conditions provided by the Guidelines GL 29 regarding the consent under the conditions of Regulation 2016/679 and those provided by the GL 29 Notice no. 2/2017 on data processing at the workplace.
7. Processing of customer data
7.1 Processing for the Crystal Bonus Club card
7.1.1 With regard to the activity in the gambling halls in which Game World operates, personal data processing operations are carried out belonging to clients participating in organized bets or participating in the Crystal Bonus Club loyalty program. Thus, in order to deliver the winnings, the personal data of the clients are processed, if any, according to the legal obligation provided by OPANAF no. 3726/2017, the provisions of art. 110 (6) of the Fiscal Code, as well as under the provisions of Law 129 for preventing and combating money laundering and terrorist financing.
7.1.2 As for the customers participating in the Crystal Bonus Club loyalty program, to whom a customer card has been issued (the purpose of which is to ensure a personalized experience of the players as well as to allow access to the various benefits existing within each gambling hall - to which the data provided by the card issuing form are associated) there may be processing based on the consent of the data subjects, especially regarding marketing communications.
7.1.3 To comply with the conditions stipulated in GL 29 Guidelines on consent, Game World Romania specifically collects the consent for processing for marketing purposes, by using separate check boxes, according to the communication channel in the access form in the loyalty program. . The data subjects are informed about the processing carried out on the data belonging to them through the Loyalty Card Regulations, made available to them free of charge.
7.2 Processing by video means
7.2.1 Game World is responsible for ensuring compliance with the principles regarding the processing of personal data, including in the context of processing through video devices, in the gambling halls operated under the Game World brand.
7.2.2 In this chapter, information is included regarding the purpose, basis, categories of data, duration of processing and security measures applicable to this type of processing, as follows:
7.2.3 Purpose of processing. Game World Romania processes your personal data, namely the image, through video systems in order to monitor the access of the persons in the premises where this company is located or to the work points in which it operates, to ensure the security of the spaces and assets of the company, as well as the safety of the persons in the abovementioned spaces. The video surveillance system is used to ensure safety and security at the company headquarters and work points. This system has a complementary role to the other detection and alarm systems in the attempt to burglar, access control, detection, signaling and fire alarm, thus forming an integrated system on physical security.
7.2.4 The surveillance system allows real-time monitoring and the possibility of post-event viewing as well as the recording, display and video transmission to various persons designated as users of the video surveillance system. You should keep in mind that processing of your data appears only to the extent that you are within the video surveillance perimeter, and refusal to provide this data is tantamount to restricting access to the company's headquarters.
7.2.5 Also, as regards the persons present in the gambling halls owned by Game World, data processing operations are performed consisting of extracting images and using them to satisfy legitimate interests of the operator related to taking appropriate measures. for the knowledge of the clients and for the prevention of damage to the Game World Romania heritage by its customers.
7.2.6 Considering the context in which these processing operations appear, such as: verbal or physical destructions or violent manifestations, it is considered that these behaviors create a state of insecurity among the persons present in the gambling hall, which gives legitimacy to the processing of the data of the persons .
7.2.7 The basis of processing. The processing of personal data by means of video surveillance devices, installation and technical use of the equipment and component elements of the video surveillance system are performed in accordance with the legal provisions in the field, respectively with the provisions of Law no. 333/2003 regarding the guarding of the objectives, assets, values and protection of persons and those of the methodological norms for applying this Law, approved by the Government Decision no. 301/2012. From the point of view of the provisions of art. 6 paragraph (1) lit. c from the GDPR, the processing ground is represented by the legal obligation established for the operator by the mentioned legal provisions.
7.2.8 In this regard we mention that the areas monitored at the company headquarters and at the work points (Game World gambling halls) are among those provided by the Methodological Norms, as follows:
• access area and perimeter area;
• the area of the security equipment;
• areas with restricted access;
• transfer areas or other areas with high security regime.
7.2.9 With regard to the data extracted from the video recordings, they have as their basis the art. 6 paragraph (1) lit. f of the GDPR - the legitimate interest of the operator to prevent behaviors that have been shown to be harmful to him or to other persons present in the gambling hall or at the company headquarters. The extracted images can also be used for the exercise of a right, if the images surprise the data subject by committing a crime punishable by criminal or contraventional law.
7.2.10 Categories of personal data processed and data subjects. The image of the person caught in the perimeter caught by the surveillance cameras. The data subjects can be: customer of the operator or his employees. Occasionally, the images may also surprise people who are within the range of the surveillance cameras or employees of some contractual partners.
7.2.11 Duration of processing. The images collected by the surveillance cameras are stored for an average of 30 days, being subjected to automatic overwriting.
7.2.12 In case of security incidents, images can be extracted and stored separately, either under a legal obligation of the operator (in the sense that a criminal investigation body may request access to images, based on an ordinance) , either for finding, exercising or defending a right in court. In this context, the storage duration is determined by the operator's participation or not in the procedure before the courts, in which case the images will be kept until the case remains final. If the operator does not participate in the procedure, the images will be deleted within a reasonable period of time from their transmission to the research body that requested them.
7.2.13 Given the legal deadline for filing a criminal complaint in the event of a destruction offense, for example, the extracted images will be stored until a decision is made regarding the situation of the person responsible for the destruction. In other situations, where a procedure is not followed before the judicial bodies, storing an image with the data subject may take the time considered necessary to prevent such behaviors in the Game World gaming halls.
7.2.14 Security measures. In order to ensure the security of the video system and to increase the degree of protection of the privacy of the data subjects, the operator has implemented the following technical and organizational measures:
• Limiting the storage time of the filmed material, according to the legal security requirements. You must take into account the fact that the legal provisions establish in our task a storage period of at least 20 days;
• storage media are in secure spaces, protected by physical and technical security measures;
• all users with the right of access have signed the job description which obliges them to respect the legal provisions in the field of personal data processing;
• the access to the video system is achieved as a result of the definition of user accounts by the system administrator that allow access based on a password consisting of alphanumeric characters;
• measures for monitoring and detecting access attempts;
• the right of access is granted to the users in compliance with the principle necessary and sufficient for fulfilling the duties of the service;
• at the end of the contractual employment relationship the rights granted to the user are withdrawn;
• the system administrator is the person who has the right to grant, modify or withdraw the access right of the users;
• the system administrator maintains an updated list of all persons who have the right of access to the video surveillance system, specifying the type of access;
• the person in charge of the protection of personal data is consulted before the installation of a new video system;
• regarding the prevention of unauthorized access, measures have been implemented to ensure traceability of user actions.
8.1 Game World Romania understands the "consent" as being granted by an unequivocal action that constitutes a freely expressed, specific manifestation, knowingly and clearly of the agreement of the data subject for the processing of his personal data.
8.2 Consent obtained under pressure or based on misleading information will not be a valid basis for processing.
8.3 Game World Romania will keep the evidence of the communication between the parties to demonstrate the consent expressed by the data subjects. The consent cannot be deduced from the lack of response to a communication. Game World Romania must be able to demonstrate that the consent for the processing operation has been obtained.
8.4 For the processing of sensitive or special data, explicit written consent (Procedure for granting the consent) of the data subjects will be obtained, unless there is another legal basis for processing.
8.5 If necessary, with the consent of the data subject being required as the legal basis of the processing, it will be acquired by Game World Romania using the Procedure for obtaining the consent.
8.6 In the case of processing based on the consent of the data subject, Game World Romania provides the means by which the right of withdrawal of the consent can be respected, either through a link to unsubscribe (regarding marketing communications) or through a written request addressed to the DPO. Regarding electronic communications by using the telephone numbers provided by the participants in the loyalty program, the exercise of the right of opposition can be done in the place where the data subject has given his consent, by a simple request, even verbal, addressed gambling hall manager.
9. Data processing of partners
9.1 Game World may process personal data belonging to representatives of contractual partners. In this regard, with a view to the smooth running of the contractual relations, we can process personal data of the representatives and contact persons designated by our partners. These may consist of: name, first name, position, telephone number and email address.
9.2 Purpose. We may be in a position to transmit personal data to us from the representatives of our business partners. In this case, we may use the personal data you provide to us in order to manage and ensure the smooth running of the relationship between the parties. If this is the case, we may use the personal data you provide to us to evaluate the satisfaction of your business partners or for purposes related to marketing research.
10. Data processing of candidates
10.1 Game World collects personal data that belongs to you, when applying for a job in this company. This data can source both the CV submitted on one of the email addresses dedicated to the recruitment process: email@example.com and the CV submitted on one of the recruitment platforms.
10.2 The basis of the processing of your data is the consent expressed by sending a CV to the indicated email address or applying it on the recruitment platforms. The purpose of processing the data provided will be the management of the recruitment process, your contact and participation in the interview.
10.3 As a general rule, your personal data will not be transmitted to other operators. If another company in the group is carrying out a recruitment process and your CV is adapted to the needs of that company, based on your consent, we will be able to send the CV for analysis to that group company.
11. Duration of processing
11.1 The criteria used to establish the duration of the processing of personal data of the clients, employees or legal representatives of the business partners will take into account the fact that the processing is necessary in order to carry out the contractual relationship, and at the conclusion of the contractual relationship, they will take into account the legal obligations in fiscal matters established by the task of Game World Romania.
11.2 Regarding the processing of personal data performed in the context of the recruitment processes conducted by Game World Romania, in the case of the candidates who were not selected for the job, the processing time will be limited to the period related to the recruitment process, at the end of this process the CVs submitted will be deleted. In the case of candidates who subsequently become employed, the data collected during the recruitment process will be stored in the personnel file throughout the contractual duration of work.
11.3 Regarding the personal data of the clients, insofar as the processing is based on their consent, the duration of the processing will be determined by the contrary manifestation of the will of the data subject.
12. Data security
12.1 All employees must ensure that any personal data that Game World Romania holds and for the processing for which they are responsible, are kept safe and are not disclosed to any third party, unless this third party part has been expressly authorized by Game World Romania to receive this information.
12.2 All personal data are accessible only to those who need to use them in accordance with the access rights that have been granted to them, in order to exercise their duties according to the job description. All personal data are managed with the utmost security and are kept:
• in a locked room with controlled access; and / or
• in a drawer or in a locked cabinet; and / or
• if they are computerized, password protected according to the security level set by Game World Romania; and / or
• stored on a removable media that is encrypted.
12.3 Game World Romania employees will ensure that the screens of the devices they use are not visible to any unauthorized third party.
12.4 The printed documents as well as any copies will not be left in places accessible to unauthorized personnel and cannot be used outside the work points where they are stored or at Game World Romania headquarters without explicit authorization. Any copy must be destroyed as soon as the purpose for which it was made has been fulfilled.
12.5 Printed documents for which the established deletion deadline has been fulfilled are disposed of and destroyed as "confidential waste." Prior to removing electronic devices, their storage media are restored to factory settings or destroyed.
12.6 The processing of personal data outside Game World Romania presents a potential higher risk of loss, theft or deterioration of personal data. Employees must be specifically authorized for off-site data processing.
13. Data disclosure
13.1 Game World Romania ensures that personal data is not disclosed to unauthorized third parties. Game World Romania employees are aware that family members or friends are included in the category of unauthorized third parties.
13.2 In view of the legal reporting obligations established by Game World Romania as a gambling operator, Game World may transmit personal data pertaining to employees or players to administrative authorities with responsibilities in the field of labor relations, in the field of gambling or in the field of preventing and combating money laundering.
13.3 Also, in order to provide quality services, Game World Romania may contract authorized persons, within the meaning of the provisions of art. 28 of the GDPR, for carrying out processing operations, such as electronic communications for marketing purposes, fidelity program management, document archiving or data storage. In these situations, Game World will transmit to these authorized persons the categories of personal data necessary for the processing of the data in order to achieve the goals set by Game World Romania.
13.4 There may be situations in which Game World will process the data with other operators, in which the parties are qualified by art. 26 of the GDPR as associated operators. Such situations arise in particular as regards the actions of Game World regarding the granting of the scholarships as well as the buttons on the page www.mygameworld.ro which lead to the Facebook / Instagram page of the Game World or to the YouTube channel.
13.5 In the context of the Facebook / Instagram pages, we inform you that accessing them from the www.mygameworld.ro page leads to the processing of your data jointly by Game World and Facebook / Instagram. By accessing our pages in this way, we will be able to access aggregate and statistical information. You should also be aware that the processing of your data by Facebook / Instagram / Youtube is subject to the processing policies of these operators.
13.6 We will provide, for example, the categories of data that we have access to, as a result of using our pages, as follows: data on the total number of page views, with the source www.mygameworld.ro, data on the age range, country, city, gender of visitors, data on external domains that send traffic to our pages, the type of device from which the pages are accessed. These categories of data are combined by Facebook / Instagram and are made available to us as anonymous and aggregated data. You have to keep in mind that although the purpose of data processing is statistical analysis of data, other operators may use other purposes of processing, which you can find in their data processing policies.
14. Retention and deletion of data
14.1 Game World Romania will not keep personal data in a form that allows the data subjects to be identified for a longer period than is necessary, in relation to the purpose (s) for which the data were initially collected.
14.2 Game World Romania may store data for longer periods if the personal data will be processed exclusively for archiving in the public interest, for scientific or historical research or for statistical purposes, subject to the implementation of technical and organizational measures adequate to protect the rights and freedoms of the data subject.
14.3 Personal data are securely disposed of in accordance with the sixth principle of the GDPR - processed in a manner appropriate to maintain security, thus protecting the "rights and freedoms" of the data subjects.
15. Data transfers
15.1. The transfer of personal data outside the EEA is prohibited, unless one or more of the specified guarantees or exceptions apply:
• An appropriate decision
The European Commission can and will evaluate third countries, a territory and / or certain sectors in third countries to assess whether there is an adequate level of protection of the rights and freedoms of natural persons. In these cases, no authorization is required.
Countries that are members of the European Economic Area (EEA), but not the EU, are accepted as fulfilling the conditions of an appropriate decision.
A list of countries currently meeting the Commission's suitability requirements is published in the Official Journal of the European Union. http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm
• Privacy Shield
• The adequacy assessment by the data operator
In assessing adequacy, the exporting operator must take into account the following factors:
• the nature of the information transferred;
• the country or territory of origin and the final destination of the information;
• how the information will be used and for how long;
• the laws and practices of the country of transfer, including the relevant codes of practice and international obligations;
• the security measures to be taken regarding the data from the location abroad.
• Mandatory corporate rules
Game World Romania may adopt its own rules for data transfer outside the EU. They require prior approval from the competent supervisory authority.
In the absence of an appropriate decision, the status of a member of the Privacy Shield, the mandatory corporate rules, the transfer of personal data to a third country or an international organization takes place only under the following conditions:
• the data subject explicitly agreed to the proposed transfer, after being informed about the possible risks of these transfers for the data subject, due to the lack of an adequate decision and the appropriate security measures;
• the transfer is necessary for the execution of a contract between the data subject and the operator or for the execution of some pre-contractual provisions adopted at the request of the data subject;
• the transfer is necessary for the conclusion or execution of a contract concluded in the interest of the data subject between the operator and another natural or legal person;
• the transfer is necessary for important reasons of public interest;
• the transfer is necessary for establishing, exercising or defending a right in court; and / or
• the transfer is necessary to protect the vital interests of the data subject or of other persons in case the data subject is not physically or legally able to consent.
16. Register of records of the processing of personal data
16.1 Game World Romania has made an inventory of the processing of personal data and has drawn up a Register of processing records, as part of its program to ensure compliance with the provisions of the GDPR.
16.2 Game World Romania is aware that certain data processing operations may be associated with risks regarding the rights and freedoms of the data subjects. So:
• Game World Romania evaluates the level of risk associated with the processing of personal data for the data subjects. Impact assessments on data protection are performed in connection with the processing of personal data by Game World Romania, and in connection with the processing by other organizations on behalf of Game World Romania.
• Game World Romania manages the risks identified by the analysis carried out, in order to reduce the probability of violating the provisions regarding the protection of personal data contained in this policy.
• Given the nature, scope, context and purposes of processing, if a type of processing, especially that based on the use of new technologies, is likely to generate a high risk for the rights and freedoms of natural persons, Game World Romania performs, before processing, an analysis of the impact of the planned processing operations on the protection of personal data. A single analysis can address a set of similar processing operations that present equally high risks.
• If, as a result of a DPIA, it is clear that Game World Romania is about to start processing personal data that could cause harm to data subjects, the decision whether Game World Romania can continue processing will be transmitted to obtaining the advisory opinion of the PDO.
• If, as a result of the analysis, it is found that there are significant risks, either regarding the possible damages that may be caused to the data subjects, or regarding the categories of data concerned, the DPO will forward the problem to the Supervisory Authority, following the prior consultation procedure referred to in Article 36 of the GDPR.
This change of policy was approved by the management of Game World Romania on 16.06.2020.