Introduction
Nossa Aposta – Jogos e Apostas Online, SA (hereinafter referred to as “Nossa Aposta”) seriously takes into account the privacy and protection of personal data provided through the registration forms submitted by users of the services (“Players”) available through the Site, available in the URL www.nossaaposta.pt ("Site") , drawing up this Security and Privacy Policy (“Policy”) in order to demonstrate its commitment, transparency and respect for the rules and good practices of privacy and protection of personal data provided for in the legislation in force.
Therefore, this Policy has the objective of:
- Describing how Nossa Aposta handles the personal data of all persons related to Nossa Aposta (e.g. Players, partners and users of your Site);
- Informing about the rights of the holders of personal data, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of individuals with regard to the processing of personal data and the free movement of such data ("General Data Protection Regulation" or "GDPR").
Nossa Aposta is also subject to the Legal Framework for Online Gambling and Betting (RJO), provided for in Decree-Law No. 66/2015 , of April 29, as well as the regulations issued by SRIJ – Serviço de Regulação e Inspeção de Jogos do Turismo de Portugal, I.P., where the terms and conditions for the operating of and engagement in online gambling and betting in Portugal are defined.
In these, among other subjects, the obligations and duties imposed on operators, including those relating to the collection, recording and processing of players' data, are identified.
Nossa Aposta is strongly committed to protecting the privacy of the personal data of the Players and of the users of Nossa Aposta’s services ("Users").
Likewise, Nossa Aposta is committed to safeguard, at all times, the rights of the holders of personal data provided for in the applicable legislation.
This matter is important and we hope you read it carefully, as the access to the gaming platform available on the Site is only possible if you provide your personal data to Nossa Aposta, as legally requested, and presumes the knowledge and acceptance of the conditions set forth herein.
Nossa Aposta considers security to be a priority and undertakes to maintain an information security management system (ISMS), in accordance with the international normative reference ISO/IEC 27001:2013, in accordance with the legislation in force and with the applicable contractual requirements.
Key concepts: personal data, data subjects, data processing and data controller
a) PERSONAL DATA
Personal data means any information relating to an identified or identifiable natural person. An identifiable person shall be deemed to be identifiable, directly or indirectly, in particular by reference to an identifier, for example a name, an identification number, location data, identifiers by electronic means or to one or more specific identity elements physical, physiological, genetic, mental, economic, cultural or social nature of that natural person.
b) PERSONAL DATA HOLDERS
The personal data holders (data subjects) are the natural persons to whom the personal data relate. The holders of personal data are, in this case, the Players and Users of the services of Nossa Aposta.
c) PROCESSING OF PERSONAL DATA
The processing of personal data consists of an operation or a set of operations carried out on personal data or on personal data sets, by automated or non-automated means, namely collection, registration, organization, structuring, preservation, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of disclosure, comparison or interconnection, limitation, erasure or destruction.
d) RESPONSIBLE FOR DATA PROCESSING
The data controller is the natural or legal person who determines the purposes and means of processing the personal data.
The person responsible for the processing of the personal data of Players and Users is Nossa Aposta that provides the service and decides, in particular, what personal data to collect, the purposes and means of the treatment and the term of conservation of personal data.
Principles to be observed in the processing of personal data
In the treatment of the personal data of the Players and Users Nossa Aposta respects, in a permanent way, the following fundamental principles:
a) Legitimacy of the Treatment: personal data will only be processed if and in the event of at least one of the following situations: (i) the data subject has given his/her consent to the processing of his or her personal data for one or more (ii) the processing is necessary for the execution of a contract in which the data subject is party, or for pre-contractual procedures at his request, (iii) the processing is necessary for the fulfilment of a legal obligation to that Nossa Aposta is subject or the treatment is necessary for the defence of vital interests of the data owner or another natural person, (iv) the processing is necessary for the exercise of functions of public interest or for the exercise of the public authority of which it is invested in Nossa Aposta or (v) the treatment is necessary for the legitimate interests pursued by Nossa Aposta or third parties.
b) Transparency: information about the processing of personal data will be provided to the respective holders, which will be transmitted in a concise, easily accessible and understandable way, using clear and simple language.
c) Purpose: personal data will be processed for specific, explicit and legitimate purposes and will not be further processed in a way incompatible with those purposes.
d) Minimization: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
e) Accuracy: Personal data must be accurate and updated whenever necessary, and our actions must be taken so that inaccurate data, taking into account the purposes for which they are processed, are erased or rectified without delay.
f) Integrity and Confidentiality: personal data will be treated in a way that guarantees its security, including protection against its unauthorized or unlawful treatment and against its accidental loss, destruction or damage, by adopting technical or appropriate organizational structures.
g) Conservation limitation: personal data shall be stored in such a way as to enable data subjects to be identified only for the period necessary for the purposes for which they are processed.
h) Data Protection from Conception and by Default: Nossa Aposta will apply, both when defining the means of processing and during the actual processing of personal data, appropriate technical and organizational measures, intended to apply effectively the principles protection of personal data.
Personal data collected
- Information provided by the Player
The Player has to provide personal data to Nossa Aposta via the registration form, which will be associated with the Player’s account.
In order for you to enjoy our online gaming and betting offer through the Site, you must register as a Player on our Site through completing the form that is available online at the Site for this purpose.
Through this form, personal data such as name, date of birth, nationality, profession, residence address, country of residence, civil identification number and/or passport, tax identification number and the e-mail address, in accordance with the Legal Framework for Online Gambling and Betting. In addition to the above data, the Player will also be asked to indicate the gender and the mobile phone number, in order to improve the services provided by Nossa Aposta. It is mandatory to provide all requested data so that the registration can be activated and the corresponding Player account created.
Additionally, the payment account identifiers will also be collected.
- Information we collect from your use of our services - device information (such as your hardware model, operating system version, as well as information from the mobile network, including mobile number), registration and location (IP address, browser type, browser language, the date and time request and referral URL), cookies and similar technologies (see our Cookies Policy for more information on this topic).
Purpose of collecting information
In compliance with the provisions of current legislation, the personal data collected at the time of registration and access to the Site are only for the purposes arising from the use of the services provided through the Site for Nossa Aposta.
In the scope of its activity, Nossa Aposta collects and processes the personal data of the Players, for the following purposes:
- Management of the relation and the contractual relationship with the Player;
- Generic provision of services (e.g., management of complaints, contacts, information or requests);
- Carrying out promotional activities;
- Conducting contests, where the processing of personal data is carried out for the purpose of managing the participation of the Player and/or User of the Place of Nossa Aposta in one or more contests (whose rules are in the regulation applicable to each competition). Your data will only be kept for this purpose for the time needed to manage the contest.
- Sale or marketing of services, improvement and development of services and experience of use, offering personalized content;
- Audit and internal control actions, including, but not limited to, preventing fraud and fighting money laundering and terrorist financing, and also maintaining adequate levels of security;
- Definition and analysis of profiles ("profiling"), based on information related to your gaming activity. This information is analysed to identify your consumption profile, allowing you to send personalized and appropriate information to your profile. Nossa Aposta uses statistical information related to the profiles of the Players to improve their offer, plan their communication and manage loyalty programs;
- Elaboration of statistical studies that allow us to understand how Nossa Aposta can improve the level of services that it provides and products that it offers and, in this way, respond more effectively to the expectations of the users;
- Analysis of compliance with applicable legal and regulatory obligations;
- Security control: control of logical, physical accesses (to the premises of Nossa Aposta), including video surveillance.
We use the information we collect from all our services to make, maintain, protect and improve these services and to develop new services, as well as to protect our Players and Nossa Aposta. We also use this information to provide personalized content to our Players.
Legal basis for the processing of personal data
Nossa Aposta will only process personal data provided that one of the following grounds is verified:
a) Consent: cases in which the Player or User has given their free, specific, informed, explicit and unequivocal consent, either verbally, in writing, in person or through the completion and validation of a form or selection option. For example, Nossa Aposta will treat your personal data, if you have given your consent, to record the calls you make to our call centres.
b) Execution of a contract or for pre-contractual procedures: cases in which the processing of personal data is necessary for joining a service of Nossa Aposta or for their respective performance or execution, for example, for the management of contacts and information or orders.
c) Fulfilment of a legal obligation: cases where the processing of personal data is necessary in order for Nossa Aposta to fulfil a legal obligation to which it has a bound, for example, compliance with tax obligations and response to requests from judicial authorities.
d) Legitimate interest: cases where the processing of personal data is necessary so that Nossa Aposta can exercise a legitimate interest of its own or of a third party, for example, improvement and development of services.
Data controller
The entity responsible for the collection and processing of personal data is Nossa Aposta.
In the scope of its activity, Nossa Aposta may use third parties to provide certain services, which may imply access by these entities to the personal data of its Players.
Nossa Aposta does not transfer the personal data of the Players and Users to third parties, except in cases where it proves necessary for the performance of the services they have contracted, for the performance of legal obligations to which Nossa Aposta is subject, or when you have given consent to that effect.
The transmission of data to third parties is carried out in accordance with the applicable legislation on data protection and within the limits of the purposes and legal grounds defined in this Policy.
Nossa Aposta may share personal data with the following entities:
a) Service providers that provide services Nossa Aposta (for example, providers of information technology services);
b) Partner entities of Nossa Aposta, in cases in which you have given your consent for this purpose;
c) Public authorities, in the fulfilment of legal obligations (such as, for example, the Tax Authority, SRIJ or judicial authorities).
In cases where the transmission of personal data to the above entities involves an international transfer of personal data (i.e., outside the European Union), Nossa Aposta:
(a) Ensures that such transfer is made on the basis of a decision by the European Commission to the effect that the country or international organization concerned ensures a level of protection of personal data equivalent to that resulting from European Union law; or,
b) If there is no decision by the European Commission to ensure the adequacy of the data, it will ensure that these data transfers are carried out in strict compliance with legal provisions and that adequate guarantees are put in place to ensure the protection of personal data.
You can consult the adequacy decisions on www.eur-lex.europa.eu.
The obligations of Nossa Aposta resulting from this Security and Privacy Policy, including the obligation of secrecy, are extended to all its employees and subcontractors, regardless of the nature of their relationship, which continues after the termination of their duties.
For the purpose of validating and processing the personal data collected, Nossa Aposta is legally obliged to verify its authenticity with the competent entities, and may request documents to the Players in case the verification was not possible by that means.
Rights of the data subject
As the holder of the personal data, you have the following rights:
a) Right of access and information: you have the right to obtain confirmation as to whether your personal data are handled by Nossa Aposta, as well as the right to access such data and to obtain information about the treatment thereof, including the purposes of the processing, the recipients or categories of recipients of the data and their storage periods. You are also entitled to obtain a copy of the personal data processed.
b) Right of rectification: you have the right to request rectification of personal data that is not accurate, as well as the right to request that data that are not complete are duly completed.
c) Right to request data deletion ("right to be forgotten"): in certain situations, you have the right to request the deletion of personal data. The right to erasure may be limited in the cases provided for in the GDPR, among which, in cases where Nossa Aposta is obliged by law to process its data, or in cases where the processing is necessary for the purposes of declaration, exercise or defence of a right in a judicial process.
d) Right to request the limitation of the processing of your personal data: in certain situations, you have the right to request for the treatment of your personal data to be limited. This will happen, for example, in cases where you dispute the accuracy of your personal data, for a period that allows Nossa Aposta to verify its accuracy, or in cases where you have objected to the processing of your data, until it is verified the interests of Nossa Aposta prevail over yours.
Limitation of treatment may result in complete suspension of treatment or limitation of treatment to certain categories of data or treatment purposes.
e) Right to portability of personal data: in cases where (i) the treatment is based on your consent or the execution of a contract you have entered into with Nossa Aposta and (ii) the processing is performed by automated means, you have the right to receive the personal data that concerns you and that you have provided to Nossa Aposta, in a structured format, in current use and automatic reading, as well as the right to transmit it to another controller.
In such cases, you also have the right to request Nossa Aposta to transfer this data to another party responsible for the treatment, as long as this is technically possible.
f) Right to withdraw your consent: you have the right to withdraw the consent you have provided for the treatment of your data at any time. If you withdraw your consent, your personal data will no longer be processed unless there is a legal basis that requires such processing.
g) Right to object to the processing of your personal data: in certain situations, especially when the treatment is based on the legitimate interests of Nossa Aposta, you have the right to object to such treatment, for reasons related to your particular situation.
When you object to the processing of your data, Nossa Aposta will cease such treatment, unless there are compelling and legitimate reasons for such treatment that prevail over your interests, rights and freedoms, or that personal data are required for the purpose of declaration, exercise or defence of a right in a judicial proceeding.
Where personal data are processed for the purpose of direct marketing, which includes the definition of profiles related to such marketing, you may oppose such processing at any time.
h) Right not to be subject to any automated individual decision: you have the right not to be subject to any automated individual decision, i.e. taken solely on the basis of automated processing, including profiling, that have legal effect or that significantly affect you in a similar way.
Individual automated decisions may be taken if such decisions (i) are necessary to enter into or enforce a contract between the data subject, (ii) are authorized by legislation to which Nossa Aposta is subject or (iii) are based on the explicit consent.
Nossa Aposta does not adopt automated individual decisions, that is, with legal effects or similar significant impacts. In cases where it adopts individual automated decisions, Nossa Aposta applies appropriate measures to safeguard its rights, freedoms and legitimate interests, ensuring at least the right to obtain human intervention by Nossa Aposta, to express your point of view and to challenge the decision.
i) Right to file a complaint: right to file a complaint with Nossa Aposta or with the Comissão Nacional de Protecção de Dados (National Data Protection Commission), which is the competent control authority in Portugal.
Exercise of rights by the the data subjects
The exercise of the rights by the holders has no costs, unless the requests presented by a data subject are manifestly unfounded or excessive, in particular because of their repetitive nature, in which case Nossa Aposta may demand the payment of a reasonable fee, taking into account of the administrative costs of providing the information or communication, or of taking the requested action, or may refuse to comply with the request.
The information will be provided in writing, but may be provided orally, if the data subject so requests, and if Nossa Aposta has reasonable doubts as to the identity of the natural person who submits the request, Nossa Aposta may request him or her to provide the information necessary to confirm the identity of the holder of the personal data.
Requests submitted must be replied to within 30 (thirty) days, unless it is a particularly complex request.
The rights of data subjects may be exercised through the following addresses:
- Nossa Aposta - Rua Luciana Stegagno Picchio n.º 3, 1549-023 Lisboa;
- compliance@nossaaposta.pt
The Player will be able to consult the information provided by him/her, whenever desired and with full autonomy, in the area "My Account" after login, through entering your username and password.
Should you wish to rectify or eliminate them, you may do so by contacting Nossa Aposta by using the means available on the Site.
However, there are specific legal requirements regarding:
-
Changes to player registration:
- The player may request changes to personal information concerning him/her, other than those relating to the date and place of birth, civil identification number and tax identification number (Article 6, paragraph 1 of Regulation 836/2015 of 23 November 2015);
- Changes in payment account imply sending a copy of the document proving the identifying elements of that payment account and respective ownership (Article 6, paragraph 2 of Regulation No 836/2015 of 23 November 2015).
If the player wants to check accesses to his/her player account (e.g. in order to detect any unauthorized access), he/she may:
- Check his/her last login information (both on the Main Menu and on Account Details);
- Check the history of transactions and games played on Account Details; and/or
- Contact the Customer Support Team.
Period for the preservation of personal data
All data related to the business of online gaming carried out in the Site will be kept for a period not less than 10 years (Article 34 of Decree-Law No. 66/2015).
External links
Our Site contains links to other websites. Nossa Aposta is not responsible for the privacy policies or the content of these websites.
It is recommended that users of the Site of Nossa Aposta that, when they access other websites, consult the pages that, within these sites, refer to their privacy policies. This text only refers to the Security and Privacy Policy applicable to the Site of Nossa Aposta.
Technical and organizational measures
In order to guarantee the confidentiality and security of the data, Nossa Aposta adopted and implemented sufficient and adequate technical and organizational measures to ensure the protection of the personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or unauthorized access, and any other form of unlawful treatment, as well as the necessary and adequate measures to ensure the accuracy, integrity and confidentiality of personal data and a level of technical and organizational security appropriate to the risks inherent in the processing and nature of personal data.
All data and information entered through the Site are encrypted in accordance with best practices available. In order to ensure the proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of the information, a policy and related procedures for the use of cryptographic controls, as well as for the use and protection of cryptographic keys throughout their entire life cycle, have been developed and implemented.
Updates to Security and Privacy Policy
Nossa Aposta may at any time change this Policy, considering that such changes come into effect as of the date of their communication to Players and Users.
Date: 24/05/2018