Olympic Entertainment Group Know Your Business Privacy Notice
Valid from: 25.11.2024
1. General provisions
1.1. This notice explains the processing of personal data in the course of Olympic Entertainment Group’s KYB process.
1.2. The data controller is the legal entity with which your company contemplates entering into a business relationship with. Depending on the territory of the Group member or other contractual arrangements, the data controller can be the following legal entities separately or jointly:
All referred to as the “Group”.
1.3. The contact details of the Group’s Data Protection Officer are DataProtectionOfficerEstonia@oc.eu, +3726671250, Pronksi 19, Tallinn 10124, Estonia.
1.4. The Group implements appropriate technical and organisational measures to protect personal data from unauthorised access, unlawful disclosure, accidental loss, alteration, destruction or other unlawful processing. We also require our cooperation partners, to whom we transfer personal data in accordance with this Privacy Notice, to implement the necessary organisational, physical and IT security measures. However, please note that even by using all technical and organisational measures to protect personal data, some risks, such as human error, cyber-attack, loss of electricity, software error or malicious actions of an individual, still remain. Upon discovering such breach, we shall take all reasonable steps to mitigate and minimise the risk to our data subjects.
1.5. Provisions on the processing of personal data may also be included in contracts between the and the Group. In such a case, in the event of a conflict of provisions, the provisions agreed upon in the contract shall apply.
1.6. The data subjects are all natural persons who are associated with the legal entities with whom the Group is contemplating into entering to a business relationship, such as, but not limited to members of the board, directors, shareholders, UBOs or authorised signatories.
2. Data subject rights in relation to the processing of their personal data
2.1. The data subject has the right to request the rectification of inaccurate personal data concerning them.
2.2. The data subject has the right to request the erasure of their personal data. The Group may delete data processed on the basis of consent or legitimate interest if the interests of the Group do not outweigh the interests of the data subject. The right to erasure does not apply to data that is processed for the fulfilment of a legal or contractual obligation, as long as the legal or contractual obligation is valid
2.3. The data subject has the right to request the erasure of their personal data. The Group may delete data processed on the basis of consent or legitimate interest if the interests of the Group do not outweigh the interests of the data subject. The right to erasure does not apply to data that is processed for the fulfilment of a legal or contractual obligation, as long as the legal or contractual obligation is valid.
2.4. The data subject has the right to object to the processing of their personal data (especially on the basis of legitimate interest) and to restrict the processing of their personal data where justified.
2.5. The data subject has the right to receive their personal data, which they have submitted, in a structured and machine-readable format (if technically feasible) for transmission to other companies.
2.6. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2.7. The data subject has the right to lodge a complaint about the processing of personal data with the appropriate data protection supervisory authority in the relevant territory.
3. Processed personal data and their sources
3.1. The Group processes the following categories of personal data:
3.1.1. Identification data: first name, last name, personal identification code or date of birth, photo of the person.
3.1.2. AML and Verification data: type of the identity document, number of the document, date of issuance and validity, copy of the document, the list of sanctioned persons, country of residence, occupation or activity, country of residence, information on being a politically exposed person.
3.2. The Group does not process special categories of personal data related to the data subject (data concerning racial or ethnic origin, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your h
3.3. The Group collects data related to the data subject from the data subject and any legal entity with which a Group member contemplates entering into a business relationship, publicly available sources, and third parties such as public authorities, national databases and Acuris Risk Intelligence LTD, an intermediary of a database concerning the verification of politically exposed persons and sanctions
4. Legal basis and purposes
4.1. The legal bases for the processing of the data subject’s personal data is: performance of legal obligations.
4.2. For performance of legal obligations, we process: Identification, AML and Verification Data.
4.3. The purposes of processing the data subject’s personal data is to conduct the know-your-business procedure and therefore compliance with applicable laws relating to fight against money laundering, terrorist financing and international sanctions evasion, as well as applicable data protection legislation, such as the General Data Protection Regulation 679/2016/EU.
4.4. The data subject is obliged to provide such personal data. Failure to provide such data will prevent a Group member from fulfilling its legal obligations and will result the Group in either terminating or refusing to enter into the business relationship.
5. Transmission of personal data
5.1. In order to fulfil its legal obligations, the Group uses partners as personal data processors, who process data based on and to the extent of the instructions given by the Group.
5.2. When processing personal data, the Group will transfer your personal data to the following recipients: Group companies, public authorities, courts, banks, auditors and legal advisors, insurance companies, analytics service providers, archiving service providers, information transmission and communication service providers, PEP and sanction verification database intermediary, whistleblowing platform operators, database providers.
5.3. If the Group partner processing the data is located outside the European Economic Area, the safeguards to be used for the transmission of personal data are: an adequate level of data protection in the recipient country in accordance with the European Commission’s decision, or the use of standard contractual clauses for data protection developed by the European Commission in the cooperation agreement (click on the relevant link for more information).
5.4. Any Group member company listed in clause 1.2 may act as separate or as a joint controller of data subject data who processes the personal data for the purpose of conducting its own KYB process or in terms of resource management may share workforce across the Group members to conduct the KYB process for its own or on behalf or benefit of another Group member. The Group has entered into an agreement to this effect, which allows the parties to share the personal data to achieve the purposes contained in this Privacy Notice.
6. Time limits for the retention of personal data
To comply with applicable legislation, we must retain the collected personal data for at least 5 and in some jurisdictions, up to 10 years after the end of the business relationship, depending on the statutory requirements of the jurisdiction of each controller conducting the KYB process. If the personal data is not deleted, then the Group and/or a controller has assessed that it has a legitimate interest in retaining all or part of the data, in which case the relevant data is not retained for longer than needed to fulfil legitimate purposes.