PRIVACY POLICY

ROMANTI CASINO AZORES, JOGO E ANIMAÇÃO TURÍSTICA, S.A., corporate entity 513177671 (hereinafter referred to as RCA), located at Av. João Bosco Mota Amaral, 6, 9500-767 Ponta Delgada, is committed to protecting the privacy and personal data of all individuals with whom it interacts, including customers, suppliers, and employees. In this regard, and in compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and Council, of 27-04-2016, also known as the General Data Protection Regulation (GDPR), as well as other applicable legislation, particularly Law No. 58/2019 of 08-08-2019, RCA has established this Privacy Policy.

1. Definitions
To ensure a better understanding of this Privacy Policy, it is useful to know the concepts. For this reason, RCA provides a glossary of the terms it considers most important:
Personal data: Any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, particularly by reference to an identifier, such as a name, identification number, location data, electronic identifiers, or one or more specific elements of that person's physical, physiological, genetic, mental, economic, cultural, or social identity.
Processing: Any operation or set of operations performed on personal data or sets of personal data, by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of availability, comparison or interconnection, limitation, erasure, or destruction.
Special categories of personal data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data identifying a person uniquely, data concerning health, or data concerning a person's sex life or sexual orientation.
Sensitive categories of personal data: Personal data relating to the economic or financial situation of the data subject, other personal data that may lead to the stigmatization or exclusion of the data subject, usernames, passwords, and other registration elements, personal data that may be used for identity fraud.
Data controller: A natural or legal person, public authority, agency, or other body that, individually or jointly with others, determines the purposes and means of processing personal data.
Processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller.
Consent: A voluntary, specific, informed, and explicit indication of the data subject's wishes, by which they agree, through a statement or clear affirmative action, to the processing of personal data concerning them.
Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
Privacy by design: Taking privacy risks into account throughout the design process of a new product or service, rather than considering privacy issues only afterwards. This means carefully evaluating and implementing appropriate technical and organizational measures and procedures from the outset to ensure compliance with the GDPR and protect the rights of the data subjects involved.
Privacy by default: Ensuring that within an organization, mechanisms are in place to ensure that, by default, only the necessary amount of personal data for each task is collected, used, and stored. This obligation applies to the extent of processing, retention period, and accessibility. These measures ensure that personal data is not made available without human intervention to an indefinite number of individuals.
Pseudonymization: Processing personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organizational measures to ensure that the personal data cannot be attributed to an identified or identifiable natural person.

2. Scope
RCA is engaged in economic activities in the area of entertainment and culture, including, but not limited to, gambling activities, restaurant and bar services, musical entertainment, organization of shows, events, and exhibitions, as well as publishing, selling, and distributing works. In the context of this activity, personal data is processed. This Privacy Policy applies exclusively to personal data for which RCA is responsible for processing within its area of activity, whether in the commercial area or in human resources. Data may be collected through personal interaction, phone calls, written communications, email, fax, or through websites.
RCA's websites may contain links to other websites that are outside RCA's control. Links to RCA's websites may also be included on external websites. RCA cannot be held responsible for data processing carried out through such external websites.

3. Purposes and grounds for data processing
The personal data processed by RCA serves various purposes and grounds:
— Management of contractual relationship: The processing of identification and other personal data is necessary for the conclusion and performance of the service contract entered into between RCA and its clients. Clients may choose to provide additional information, which will only be used to help RCA provide the best possible service.
The processing of personal data is also necessary for the fulfillment of contracts for the provision of services and goods between RCA and its suppliers.
— Legal obligations: RCA is subject to legal obligations that require data processing.
— Quality: RCA may analyze customer information collected through surveys, complaints, and other means for statistical purposes with the respective consent.
— Marketing: With the consent of the data subjects, RCA may process personal data to send information about promotions, campaigns, newsletters, and other relevant information to its clients.
— Profiling: RCA may analyze the commercial information of its clients to identify consumption profiles for statistical purposes and/or, with the respective consent, send personalized information to its clients.
— Video surveillance: For the safety of clients and employees, RCA's facilities are equipped with video surveillance systems, in accordance with the law.
— Contests and competitions: RCA may promote contests and competitions that require the processing of personal data, according to applicable regulations.
— Recruitment: Candidates may apply for specific positions (through internal recruitment or outsourcing) or submit spontaneous applications, needing to provide the necessary personal data for recruitment. The information provided by candidates will only be processed for recruitment purposes and will be kept for a maximum of 2 (two) years.
— Human resources management: For the execution of the employment contract, employees must provide personal data to RCA. If necessary, specific consents for processing data that require such will be requested (e.g., for special and sensitive data categories).
— Whistleblowing channel: In compliance with applicable legislation, an internal whistleblowing channel has been implemented, through which personal data may be processed, respecting the confidentiality guarantees provided in the applicable whistleblower protection legislation, personal data protection legislation, and the policy of the channel. Only personal data deemed necessary for analyzing and following up on reports will be processed, so excessive data will be deleted and not processed. The collected data will be retained for a period of five (5) years, after which it may be deleted or anonymized.

4. Cookies
Cookies are used on RCA's websites to improve the browsing experience and provide the best possible service. Cookies are small files stored on access devices via the browser, retaining only information related to preferences, thus not including personal data. While users can manage cookies directly in their browsers, continuing to browse the site implies consent to their use; however, disabling cookies may prevent some web services from functioning properly, partially or totally affecting navigation on the website.

5. Rights of the data subjects
Under the GDPR, data subjects have, among others, the following rights:
— Right of access;
— Right to rectification;
— Right to erasure;
— Right to restriction of processing;
— Right to data portability;
— Right to object;
— Right to withdraw consent.
If you wish to exercise any of your rights or clarify any doubts, the data subject should contact RCA in writing, addressed to “Privacy Officer,” at Av. João Bosco Mota Amaral, 6, 9500-767 Ponta Delgada, or by email at juridico@romanticasinoazores.com.

6. Duties of RCA
RCA commits to:
a) collect only data for determined, explicit, and legitimate purposes;
b) minimize data collection, promoting only relevant and limited collection to what is actually necessary for the purposes of adequate and relevant data;
c) not use the collected data for purposes other than those of collection and obtained consents;
d) update data whenever necessary;
e) retain data in such a way that identification is only possible for the period necessary for the purposes for which it was collected;
f) protect data against unauthorized or unlawful processing and against accidental loss, destruction, or damage;
g) implement the principles of privacy by design and by default in data processing activities/processes;
h) adopt a reference framework for privacy by design;
i) implement encryption or pseudonymization techniques for data in use;
j) ensure compliance with the GDPR.

This policy will be updated periodically.