As Switzerland’s leading casino group, SWISS CASINOS offers guests a wide range of betting games and exclusive entertainment, both in its physical casinos and on the internet. In the course of our business activities and in direct dealings with our customers, we collect a range of personal information, usually for statutory reasons but also for marketing purposes. To protect your personality, your privacy and basic personal rights, it is both our intention and our duty to exercise the utmost care in dealing with the data entrusted to us in good faith and in accordance with the applicable statutory requirements.

This Data Protection Declaration describes the personal data that SWISS CASINOS collects and processes itself or allows third parties to process on its behalf, why we collect it and how – in short, how the companies of the Swiss Casinos Group fulfill and ensure their obligation to protect data. Personal data is taken to mean any information that relates to a specific or identifiable person.

The following pieces of legislation provide the legal foundation for our handling of personal data:

• Federal Act on Gambling (BGS)
• Gambling Ordinance (VGS)
• Casinos Ordinance (SPBV)
• Anti-Money Laundering Act (AMLA)
• Anti-Money Laundering Ordinance (AMLO-SFGB)
• Federal Act on Data Protection (FADP)
• General Data Protection Regulation of the European Union (GDPR)
• Code of Obligations (OR)

Our Data Protection Declaration is based on the requirements of the European Union’s General Data Protection Regulation (GDPR). SWISS CASINOS is subject to this European regulation in cases where our companies collect and process data from individuals who are permanently resident in the EU for marketing and customer loyalty purposes or have this data processed by third parties (processors). Swiss law (Casinos Act, FADP and Ordinance) applies in all other cases, both in business relationships with customers who are permanently resident (domiciled) in Switzerland, and in the context of operating casinos and online gaming, which are subject to strict state controls. In addition, Art. 328b OR applies to job applicants.

SWISS CASINOS undertakes to collect and process only data that is required under statutory provisions and/or that we regard as necessary for the long-term success of our group. In its own interest, too, SWISS CASINOS endeavors at all times to protect the personal rights and privacy of data subjects when it processes the data entrusted to it. In handling personal data, we observe the following principles in particular:

We work with a number of specialist third-party companies that enable us to offer unique experiences and flawless service to visitors to SWISS CASINOS and users of our online presence on the home pages www.swisscasinos.ch and www.george-grill.ch.

In this context, we forward personal data to third parties only where it is legally permissible, expedient for our business and absolutely necessary for the provision of the service. In such cases, the data may be stored and/or processed only to the extent necessary for each clearly defined purpose and in the fulfillment of contractual obligations toward SWISS CASINOS. The rights and obligations of each cooperation partner are governed by a data processing contract with SWISS CASINOS. Separate non-disclosure agreements (NDA) are also concluded with relevant third parties that gain insight into our personal data in the fulfillment of their contractual obligations. In accordance with our documentation requirements, we keep an up-to-date list of the companies with which we have contractual obligations that have a data protection dimension.

In the case of companies where SWISS CASINOS is able to exert only minimal influence over control of personal data, or none at all (e.g. large foreign IT groups such as Google, Microsoft, Facebook, etc.), we alert data subjects to the availability of information on the handling of their personal data on these providers’ websites. Most of these large companies have data protection certificates (e.g. EU-US Privacy Shield, CH-US Privacy Shield) that guarantee their compliance with the data protection requirements of the respective country when processing data in the US. Furthermore, these companies usually offer users extensive options for the control of personal data (see the apps of the various social media providers).

We process and store your personal data as long as this is necessary for the fulfillment of our contractual and statutory obligations or for other processing purposes; for example, for the duration of the entire business relationship and in accordance with statutory retention and documentation obligations. Personal data may also be retained throughout the period in which claims can be asserted against our company (in particular for the statutory limitation period) and insofar as we are otherwise legally obliged to do so or our legitimate business interests require it (e.g. for evidence and documentation purposes). When your personal data is no longer required for the purposes mentioned in Section 4, it will generally be erased or anonymized where this is feasible. Operational data (e.g. system and other logs) is generally subject to shorter retention periods of 12 months or less.

Swiss Casinos businesses apply active data management and they explicitly train employees in information security and dealing with personal data. A data protection officer appointed for this purpose and the data protection officers of the respective Swiss Casinos Group companies monitor compliance with statutory provisions and internal guidelines.

The pillars of our information security and thus our data protection concept are authenticity, integrity, availability and confidentiality. Our data protection objectives are based on these principles. In implementing these objectives, SWISS CASINOS uses standard modern security technology and defined processes for quality assurance in recording, storing, archiving and destroying electronic and physical data. Companies that operate and maintain IT systems or gaming platforms for SWISS CASINOS are generally certified according to the international quality standard ISO 27001 and use the latest tools to protect personal data against access by third parties.

Everyone has the right to gain information about, rectify, block or erase data, to restrict data processing, to object to our data processing, and the right to issuance of certain personal data for the purpose of transferring it to another location (“data portability”), within the framework of the applicable data protection law (GDPR, for instance) and as provided therein.

You have the right to revoke your consent at any time, although this does not affect the legality of any data processing before this revocation. It is important to note that the exercise of these rights is in conflict with contractual agreements and this may have consequences such as premature termination of the contract or cost consequences. In this case, we will inform you in advance in cases where this is not already contractually regulated.

To exercise such rights, individuals generally need to clearly prove their identity (e.g. with a copy of their ID, if their identity is otherwise unclear or cannot be verified). If you wish to assert your rights, contact us at the address given in Section 3.

Each data subject also has the right to enforce their claims in court or to lodge a complaint with the relevant data protection authority. The responsible data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).

Users of our services agree to this Data Protection Declaration by declaring their consent. Therefore, the legal basis for the data processing contained herein is primarily Art. 6 (1) (a) GDPR. However, in addition to this declaration of consent, SWISS CASINOS reserves the right to refer to the following legal bases for lawful data processing (see in particular Art. 6 (1) GDPR):

• Where data processing is necessary for performance of a contract, Article 6 (1) ( (b) GDPR serves as the legal basis. This also applies to any processing operations required for pre-contractual measures.
• Insofar as data processing is necessary to fulfill a legal obligation to which SWISS CASINOS is subject (e.g. retention obligation), Art. 6 (1)(c) GDPR serves as the legal basis.
• If data processing is required to safeguard a legitimate interest of SWISS CASINOS or a third party (e.g. for the assertion of claims) and if the interests, fundamental rights and freedoms of the user do not outweigh this interest, Art. 6 (1)(f) GDPR serves as the legal basis.
• In the exceptional case that data processing is necessary because of the vital interests of the user or another natural person, Article 6 (1) (d) GDPR serves as the legal basis.

Under legislation that applies to casinos, SWISS CASINOS is obliged to avoid or minimize risks, such as money laundering, gambling fraud and gambling addiction, while also ensuring secure, transparent gaming operations by recording, reviewing and maintaining continuous records of a range of personal information pertaining to its visitors:

Data is processed at the request of the person interested in physical casino operations and is necessary for the stated purposes for the performance of the contract and pre-contractual measures (Art. 6 (1)(b) GDPR). Data is also processed on the basis of the legal obligations to which SWISS CASINOS is subject as set out in the table above (Art. 6 (1)(c) GDPR).

The above-mentioned personal data is recorded and processed by the responsible employees in the group’s own IT system for the specified purposes using dedicated applications (guest information system GIS, Cheeteye). Access regulations of the individual companies ensure that only employees entrusted with implementation of the social concept have access to the personal data.

The casinos are legally obliged to disclose the identity of anyone subject to a gaming suspension to the other casinos (Art. 42 VSBG). These regulations allow the exchange of personal details, the type of suspension (voluntary, ordered), the date of issuance of the suspension and the name of the casino that imposed it. This information is exchanged via a central database to which all casinos in Switzerland are linked. As soon as the suspension is lifted, the relevant casino makes the data about the person in question inaccessible to the other casinos.

In implementing their social concept, the individual casinos cooperate with an addiction prevention center and a therapy facility (Art. 37 VSBG). Personal data is exchanged only to the extent necessary for the processing of the specific case. The commission and authorities may request access to this data where this is required in the fulfillment of their statutory mandate.

Different statutory retention periods apply depending on the type of data in question:

• Personal data that serves the fulfillment of statutory due diligence obligations in the areas of money laundering, gambling fraud and player protection is erased 10 years after the last business contact.
• Video data is erased after 28 days (Arts. 57 and 58 VGS).

Through its website, SWISS CASINOS offers certain online games with the approval of the regulatory authorities. As with the casinos (see Section 4.1), these games are subject to strict state supervision by the Swiss Federal Gaming Board (SFGB). As with the casinos, personal data is collected and processed only to the extent necessary for the mandatory fulfillment of statutory requirements and due diligence (combating money laundering, gaming fraud, player protection).

This data is additionally used for internal marketing purposes.
SWISS CASINOS is dependent on the specialized services of various companies in the operation of the technical infrastructure it requires (web and application server, platform for free online games, mail server, hosting services, game software development). In this context, personal data is processed by the technical systems used by these cooperation partners for the purpose of fulfilling their contractual obligations to SWISS CASINOS.

By registering, the participant gives their consent to the use of their data for marketing purposes (Art. 6 (1)(a) GDPR). The collection and use of the personal data required for this is handled in the same way as data collected in registration for use of free online games (see Section 5.3). The participant can allow or block the use of their data for marketing purposes in their user account.

The data is processed at the request of the person interested in online casino operations and is necessary for the stated purposes for the fulfillment of the contract and pre-contractual measures (Art. 6 (1)(b) GDPR). Data is also processed on the basis of the legal obligations to which SWISS CASINOS is subject as set out in the table in Section 4.1 (Art. 6 (1)(c) GDPR).

Data is not transferred to companies outside the Swiss Casinos Group. The large gaming agency that provides the technical platform for operation of the online games has no access to the personal data of registered users.

A player account holder’s login to online betting games may be suspended at their request and the personal data collected for carrying out online betting games anonymized.

When joining the ROYAL CLUB, guests receive a range of special offers and discounts. In addition, members may use the membership card as proof of identity when they enter the casino. On request and with the prior consent of the guest, SWISS CASINOS collects personal information such as:

• Personal details (surname, first name, date of birth, nationality, address)
• Contact details, such as email address and mobile phone number
• Copy and type and number of a valid form of official identification
• Date and time of the visit to a casino of the Swiss Casinos Group
• Specific gaming interests, such as type of game or event
• Profession

The data is processed at the request of the person interested in membership of the ROYAL CLUB and is necessary for the stated purposes for the fulfillment of the contract and pre-contractual measures (Art. 6 (1)(b) GDPR). In accordance with Art. 28 (4) VSBG, the data is also processed on the basis of the legal obligations to which SWISS CASINOS is subject as set out in the table in Section 4.1 (Art. 6 (1)(c) GDPR).

As membership is associated with certain statutory due diligence obligations (with the membership card also serving as an identity card), any personal data collected is kept in the guest information system (GIS) where it is processed by responsible employees of the individual companies (see previous section). In addition, the relevant personal data is transferred to a group-wide platform of SWISS CASINOS where it used for marketing activities within the company and for certain control functions in the fulfillment of statutory due diligence obligations.

The data collected is not transferred to third parties. The right to issue data on the basis of an official order is reserved; e.g. for the purpose of investigation of a criminal case against a data subject.

The member may informally revoke consent to use of their personal data for marketing purposes at any time. If consent is revoked or the membership terminated or not renewed after the annual card expiry, the data will be erased 10 years after the last business contact (or after the date of the last entry of the data subject) in accordance with the retention period for data in fulfillment of statutory due diligence obligations (see Section 4, last clause).

The companies of SWISS CASINOS use the software E-GUMA from the software provider E-GUMA® (Idea Creation GmbH, Walchestrasse 15, 8006 Zurich) for sale and handling of vouchers and tickets in its online shop (www.e-guma.ch).

For order and purchase processing, the standard personal data required in these cases (in particular surname, first name, address, telephone, email address, plus credit card details where required) is collected and processed.

The payment data is processed in the course of payment processing by Datatrans AG, Kreuzbühlstrasse 26, 8008 Zurich. After a purchaser places an order, the information they provide is passed on to the transport company assigned for the delivery, insofar as this is necessary for the delivery of the goods.

In addition, when the user accesses the website in question, information is temporarily stored in “log files” on the server. These files contain information that the browser of the user’s device sends automatically (see Section 6.1).

The data is processed at the request of the person interested in purchasing and is necessary for the stated purposes for the fulfillment of the contract and pre-contractual measures (Art. 6 (1)(b) GDPR). In addition, SWISS CASINOS has a legitimate interest in use of the software E-GUMA from the software provider E-GUMA® for its voucher and ticket system (Art. 6 (1)(f) GDPR).

As the online shop of the individual casinos is integrated into the website of the respective company (i.e. in “iFrames”), users are referred to the dedicated detailed data protection declaration for each online shop. These may be viewed at the following websites:

• Data Protection, Casino Zurich
• Data Protection, Casino St. Gallen
• Data Protection, Schaffhausen
• Eguma Shop Data Protection Declaration
• Eguma Shop George Bar and Grill

General information concerning data protection for this online service can also be found on the website of the company’s online shop under the link “Data protection”.

In the process of registration, submission of an application (e.g. for ROYAL CLUB membership) or online purchase of services, SWISS CASINOS may offer the visitor the option of subscription to a free newsletter. For registration, only the personal data that is necessary for the delivery of the newsletter is collected and used, including:

• Surname and first name
• Email address (required for secure double opt-in procedure)
• Mobile phone number (if the user wishes to receive information via SMS or WhatsApp)

By actively selecting the corresponding click box and, if necessary, providing their signature, the interested party confirms that they wish to receive the newsletter and/or news via email, SMS/MMS or WhatsApp, and that they have read, understood and accepted the associated general terms and conditions and this Data Protection Declaration. The other personal data collected in the registration process, such as IP address, date and time, serves to prevent misuse of the services or the email address supplied for registration. The subscriber may informally cancel delivery of the newsletter at any time via a link on the website or in the newsletter.

The data is processed at the request of the person interested in the newsletter and is necessary for the stated purposes for the fulfillment of the contract and pre-contractual measures (Art. 6 (1)(b) GDPR). In addition, SWISS CASINOS has a legitimate interest in providing recipients with current information about its company through the newsletter (Art. 6 (1)(f) GDPR).

The information required for the newsletter is used only to send the newsletter and is not disclosed to third parties.

For its internet presence, SWISS CASINOS enters into direct “virtual” contact with interested users and visitors in a number of different ways. We use new technology and media to get to know our visitors better, to recruit potential employees, to provide users with information when they have inquiries and to offer the visitor high quality services and offers tailored to their needs. In addition, the internet services we use accrue user data, either intentionally or unintentionally, about which the visitor to our website or the user of our services has a legal right to information and control at any time.

Below you will find information on the implementation of personal data protection with our web presence on the following websites:

• www.swisscasinos.ch
• www.swissonlinegames.ch
• www.george-grill.ch
• www.spielerschutz.ch

The personal data of the data subject is erased or blocked as soon as the purpose of storage no longer applies. Data may be stored for longer periods if this has been provided for by European or national legislators under EU regulations, laws or other provisions to which the controller is subject. Data may also be blocked or erased if a storage period set out by the above-mentioned standards expires, unless there is a need to further store the data for the conclusion or performance of a contract.

The collection and processing of the personal data required for use of the services presented below is based on interest in the SWISS CASINOS website and is necessary for the purposes mentioned (Art. 6 (1)(b) GDPR). In addition, SWISS CASINOS has a legitimate interest in a website and the services presented below, and in improving the quality of the website (Art. 6 (1)(f) GDPR).

All data on websites operated by SWISS CASINOS is stored on servers provided by METANET.

For each visit to our website, this provider automatically collects data and information from the computer used to access the website. In particular, the following data is collected and stored in an access log (log file):

• date and time of access
• URL of the page accessed
• referrer from which the user accessed the page
• IP address
• browser used
• operating system used
• technical information on the transmission of the data (e.g. volume of data transmitted, protocol used, method used, status of the transmission)

This data is not stored in conjunction with other personal data pertaining to the user. The system is required to temporarily store the IP address for the technical purpose of enabling the website to be displayed on the user’s device. This requires it to store the user’s IP address for the duration of the browser session. The provider stores additional data in log files automatically. This data is collected and processed for the purpose of internal system-related evaluation and to ensure technical security. The logged data can be used in defense against attempted attacks on the web server, to monitor abuse in case of suspicion and to investigate where suspicious usage may constitute a criminal act. The IP address is evaluated only if there are concrete indications of illegal use of the website or the associated systems. Log files are not evaluated for marketing purposes.

The data is erased when it is no longer required for the purpose for which it was collected. If the IP address is recorded to make the website available to the user, this data is erased when the user ends the respective browser session. The log files are completely erased at the end of the following month (i.e. a maximum of two months after visiting the website).

Our website uses cookies; i.e. text files with a characteristic sequence of characters that are stored on the user’s computer system (PC, mobile) when a website is accessed via an internet browser. When the user revisits the web address, the cookie enables the browser to be unambiguously identified and serves to technically optimize our website for the user.

Below you can find a list of all cookies used on the website, sorted by category. The classification of the different types of cookies was developed by the UK’s International Chamber of Commerce and provides more detailed information about the cookies we are using, the reasons we use them and the functions you may lose if you block cookies on your device. The different categories of cookie are:

• mandatory cookies
• performance cookies
• functional cookies
• targeting and marketing cookies

We use performance cookies only on all online portals operated by SWISS CASINOS. These collect anonymous information on the pages visited. By using the website, you consent to placement of these types of cookies on your device. These cookies collect information about how visitors use the website; for example, which pages visitors visit most often and whether they receive error messages from websites. These cookies do not collect any information that could be used to identify a visitor. All information collected by these cookies is cumulative and therefore remains anonymous. This information is used only to improve the functioning of the website.

Depending on the type of cookies (“session cookies”, “permanent cookies”), the duration of storage is between a few minutes and two years (see table above). However, the user can exercise full control over the use of cookies by setting their browser to reject cookies, to store them for a single session only or to delete them prematurely by some other means. Cookies that have already been saved can be deleted at any time. It should be noted that if cookies are deactivated, some functions of the website may be unavailable.

SWISS CASINOS uses a number of plug-ins and tools on its website offered and operated by Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043 USA (hereinafter “Google”).

Among the most important of these is Google Analytics. This is a web analysis service that analyzes the usage behavior recorded on our web presence. Our legitimate interest lies in the analysis, optimization and economic operation of our website.

Usage and user-related information, such as IP address, location, time and frequency of visits to our website, is transmitted to and stored by Google on servers in the US. To prevent inferences being drawn about the identity of the user, SWISS CASINOS uses the Google Analytics anonymization function by which Google shortens the IP address within the EU or the EEA. At the same time, Google uses this information to provide us with tailored reports on visits to our website and usage activities on the website.

With its certification under the EU-US data protection agreement (“EU-US Privacy Shield”), Google guarantees its compliance with the data protection provisions of the EU, even when it processes data in the US. According to information provided by the IT company, the user’s IP address is not linked to other data. In addition, the user has recourse to various direct control options that prevent or limit Google’s use of data:

• Google partners
• Google tools

Our website also uses the following plug-ins and services:

If cookies are set by the plug-ins and tools used, they can be blocked, restricted or (if cookies have already been saved) deleted at any time, as with Google Analytics (see above), using the appropriate settings in the internet browser. The steps and measures required to do this differ depending on the internet browser used. Should the user require assistance, the help function of the browser interface, the documentation for their internet browser or the manufacturer’s support department may be able to help. A detailed description of data protection practices for the various services can be found on the data protection declaration website of each respective provider.

SWISS CASINOS uses conventional links on its website to share or like content without iFrames or Javascript code. In some cases, we use the “Shariff” plug-in to ensure that social network functions are integrated in compliance with data protection regulations.

Shariff is an open source program developed by c’t and heise. Integration of this plug-in prevents the social network plug-ins listed below from automatically establishing a link to the server of the social network plug-in on the path of the linked graphic when users visit our internet page(s) on which the social network plug-in in question is integrated. If the user clicks on one of these linked graphics, they are forwarded to the service of the social network. Only then does the social network record information about the usage process. This information includes, for example, the IP address of the user, the SWISS CASINOS website visited and the time and date of access.

Any user wishing to prevent a social network provider from recognizing information about their visit and linking it with their personal user data is advised to log out of the social network or make the appropriate settings in their personal user account on the social network before using these services. More information on “Shariff”.

Through certification under the EU-US data protection agreement (EU-US Privacy Shield), the social network providers listed below guarantee users that they comply with EU data protection requirements even when processing data in the US:

• Google
• Facebook
• Twitter

Visitors to the SWISS CASINOS website may apply for specific advertised positions or send unsolicited applications for jobs at any time on our online portal. The personal information required for this is collected using electronic forms. For further processing in the application process, we process the relevant information in accordance with our internally defined processes and using common IT tools.

The personal data of job applicants is passed on to third parties only for further steps relevant to the recruitment process (e.g. assessments). In such cases, job applicants are informed in advance.

When an employment contract is concluded, the electronic application documents are entered in the employee’s personnel file and processed further in accordance with legally compliant internal process specifications.

Electronic personal data from applications that have not been considered is erased unless the applicant has given their express consent for their data to be retained for a longer period (e.g. for the purpose of inclusion in a database of applicants or interested parties). Application documents in physical form are returned to the applicant if their application proves unsuccessful.

The data subject may revoke their consent at any time with effect for the future (Art. 7 (3) GDPR). In cases in which SWISS CASINOS has a legitimate interest in using the personal application data of a data subject as evidence in legal defense or enforcement in possible legal proceedings, this may be stored or retained until the conclusion of the court case (Art. 328b OR).

Various forms are available to visitors on our website for a range of purposes, including the following:

• press inquiries
• questions about free online games
• registration for specific events
• quote inquiries for a casino event
• solicited and unsolicited job applications (see Section 6.6)
• other forms of contact and inquiry

The user is requested to enter personal details only if necessary to answer or process the request. The mandatory fields (first and last name, email address, telephone and text message) are marked (*). At SWISS CASINOS, contact details entered by the user are processed solely by the employees responsible for the purpose specified on the form.

In the case of contact forms, the information collected is forwarded to the relevant office for processing by means of the email addresses entered and also stored in the content management system (CMS) to ensure data security.

After a final response and processing of a contact request (or after the reason for processing no longer applies), the personal data collected from the user is erased, unless

• a statutory retention requirement prevents this erasure
• the process must be documented due to a potential or existing contractual relationship between the person making the inquiry and SWISS CASINOS
• the user, when filling in the form, has given their express consent to the further use of the information (e.g. for advertising purposes, inclusion in the applicant database, newsletter).

This Data Protection Declaration came into effect on July 2, 2018.