Scroll Top
Please select Menu Source


The purpose of this privacy policy (hereinafter referred to as “the policy”) is to inform individuals who subscribe to electronic newsletters and SMS notifications via the website about the purposes and legal basis for processing personal data, as well as other information collected by the website.

Casino Portorož, d.d, Obala 75a, 6320 Portorož, Slovenia (hereinafter referred to as “the company” or “provider” or “personal data controller”), protects your personal data in a manner that ensures their protection throughout the duration of its operations.

At Casino Portorož, we value your privacy, therefore we always carefully protect your data.

This privacy policy can be changed or supplemented at any time without prior warning or notification.

All our activities related to the processing of personal data comply with applicable European legislation, particularly Regulation (EU) 2016/697 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or GDPR) and Council of Europe conventions (ETS No. 108, ETS No. 181, ETS No. 185, ETS No. 189), and national legislation of the Republic of Slovenia (Personal Data Protection Act (ZVOP-1, Official Gazette of the RS, No. 94/07), Electronic Commerce on the Market Act (ZEPT, Official Gazette of the RS, No. 96/09 and 19/15), etc.).

The privacy policy addresses the handling of personal data that Casino Portorož obtains from you when using the contact form to sign up for newsletters via the website.


Data Controller and Authorized Data Protection Officer

The personal data controller is Casino Portorož, Inc., Obala 75a, 6320 Portorož, Slovenia.

An authorized data protection officer has been appointed at Casino Portorož, who can be reached at the email address [email protected].

If you have any questions regarding the use of this policy or in connection with the exercise of your rights arising from this policy, please contact the authorized data protection officer.


Basic Concepts

Personal data means any information based on which an individual can be identified (including name, surname, email address, telephone number, etc.).

The controller means a legal entity that determines the purposes and means of processing your personal data.

The processor means a legal or physical person who processes personal data on behalf of the controller.

Processing means the collection, storage, access, and all other forms of use of personal data.

EEA means the European Economic Area, which includes all EU member states, Iceland, Norway, and Liechtenstein.

SMS and EMAIL notification is an additional benefit offered by Casino Portorož, which an individual can use upon membership or through registration on the website.

Personal data is information that identifies you as a specific or identifiable individual. An individual is identifiable when they can be directly or indirectly determined, especially by specifying an identifier such as a name, identification number, location data, online identifier, or by specifying one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the individual.

The provider, in accordance with the purposes defined in the continuation of this policy, collects the following personal data:

Basic user information (name and surname);

  • Contact details and data on your communication with the controller (email address, telephone number, date, time, and content of postal or email communication, date, time, and content of SMS messages);
  • Channel and campaign – the method of acquiring a member or the source through which the user came into contact with the controller (website and advertising campaign or action, physically in the branch);
  • Data on the user’s use of the controller’s website (dates and times of visits to the website, pages visited or URLs, time spent on each page, number of pages visited, total time spent on the website, settings made on the website) and data on the use of received messages (email, SMS) from the controller;
  • Other data that the user voluntarily provides to the provider upon request for certain services, if these data are necessary for the provision of the service.

Casino Portorož does not collect and process your personal data on the website without your consent. The company also processes your data when there is a legal basis for the collection of personal data, a contractual basis, or when the company has a legitimate interest in processing.

Your personal data is also obtained based on the use of cookies on our website.

Casino Portorož only collects personal data that are relevant and necessary to fulfill the purposes for which these data are processed.


Legal Basis for Data Processing

We need your data when it is necessary for the conclusion, execution, and fulfillment of contractual obligations. The provision of personal data is voluntary in this case. If you do not provide personal data, you cannot enter into a contract with the provider, nor can the provider ensure the performance of services or delivery of products.


Processing Based on Consent

We process your data when you provide us with explicit consent. When processing is based on consent, we will ensure that you have all the information you need to make your decision. You can revoke your consent at any time. If you revoke your consent, the provider may no longer be able to provide certain services.


Processing Based on Legitimate Interest

The provider may also process data based on a legitimate interest, except when such interests are overridden by the interests or fundamental rights and freedoms of the individual whose personal data require protection. In cases of legitimate interest, the provider always conducts an assessment in accordance with the General Data Protection Regulation. If processing is based on legitimate interest, the user has the right to object. You can read more about your rights later in this policy.


Purposes of Processing Personal Data

Casino Portorož legally sends SMS and email messages to members of the SMS and EMAIL club who have accepted the general terms and conditions. Based on legitimate interest to prepare relevant offers during this messaging, we perform mild segmentation based on certain characteristics such as:

  • Demographic data (gender, age)
  • History of visits to branches
  • Locations

Based on your consent, the company also performs personalized communication via SMS and EMAIL notifications. Because we want to offer you the best possible offers and content tailored exactly to your needs, we create your profile with your consent, which is the basis for personalized communication.

In this process, we do not use any semi-automatic or automatic profiling but simply select appropriate sets of recipients for individual messages. We never focus on individual data, but perform aggregate processing of larger groups.

You can object to segmentation by contacting [email protected].

A favorably resolved objection will not prevent the sending of SMS and EMAIL messages if the individual does not unsubscribe from the SMS and EMAIL club.

Unsubscribing from the SMS club does not prevent the sending of general notifications, provided there is a legal basis for such sending. More about other legal bases and options for sending can be found in the general conditions of the SMS club.


Enforcing Legal Claims, Protecting Our Rights, and Resolving Disputes

Personal data for a specified purpose are collected in accordance with the law.

Processing of Personal Data Outside the Purposes of Notification

This privacy policy includes the processing of personal data that occurs when an individual joins the SMS or EMAIL club. However, the company wants to highlight that there is a separate processing of personal data exclusively for existing members of the loyalty club. This means that an individual who has signed up for notifications via the website will continue to receive messages even if registered in the SMS and EMAIL club, but these will not include special benefits available only to club members.


Retention of Personal Data

The provider will retain your personal data only as long as necessary to achieve the purpose for which the personal data was collected.

Personal data processed based on the law are kept for a period prescribed by law.

Personal data processed due to the performance of a contractual relationship with an individual are kept for the period necessary to execute the contract and for five years after its termination, except in cases where there is a dispute between you and the company regarding the contract; in such a case, the company keeps the data for five years after a final court or arbitration decision or settlement, or, if no legal dispute occurred, five years from the day of amicable resolution of the dispute.

Personal data processed based on an individual’s consent are kept permanently until the consent is revoked by the individual. The company deletes such data before revocation only when the purpose of processing personal data has been achieved.

After the retention period, the controller effectively and permanently deletes or anonymizes personal data so that they can no longer be linked to a specific individual.


Contractual Processing of Personal Data

The provider may entrust certain tasks related to the processing of your data to other persons (contractual processors). Contractual processors may process the entrusted data exclusively on behalf of the provider, within the limits of the provider’s authorization (in a written contract or other legal act), and in accordance with the purposes defined in this privacy policy.

Contractual processors with whom the provider cooperates are:

  • Accounting services; law offices and other legal advisory providers;
  • Data processing and analytics providers;
  • Maintainers of the 4EGI notification system;
  • IT system maintainers;
  • Customer relationship management system providers (e.g., Microsoft);
  • Online advertising solution providers (e.g., Google, Facebook).

The provider will not share your personal data with unauthorized third parties. Contractual processors may only process personal data within the framework of the controller’s instructions and must not use the data to pursue any of their own interests.


Data Transfer Restrictions

The controller and personal data users do not transfer data to third countries (outside the European Economic Area – EU member states plus Iceland, Norway, and Liechtenstein) or to international organizations, except to the USA – all contractual processors in the USA are included in the Privacy Shield program.


Freedom of Choice

You control the information you provide about yourself. If you choose not to share your data with the provider, certain services cannot be provided.



The provider is committed to ensuring the security of personal data. Your data is continuously protected against loss, destruction, tampering, manipulation, and unauthorized access or disclosure.

For the protection of personal data, we implement organizational and technical measures such as:

Employee training;

  • Monitoring of employees and regular reviews of individual employee performance;
  • Careful selection and supervision of contractual processors;
  • Backing up electronically stored data;
  • Regular maintenance and updating of computer equipment;
  • Adoption of appropriate internal policies and instructions on data protection.


Consent of Minors in Relation to Information Society Services

Minors under 18 should not provide any personal data on websites. The company will never knowingly collect personal data from individuals known to be minors (under 18 years old) or use or disclose it to unauthorized third parties.

This does not affect the general contract law of the member states, such as rules on the validity, formation, or effects of a contract in relation to a child. Considering available technology, the provider will reasonably attempt to verify whether the holder of parental responsibility has given or approved consent.


Individual Rights Regarding Data Processing

If you have any questions regarding our personal data protection policy or the processing of your personal data, you can contact us at any time. Write to us at [email protected]. Based on your request, we will provide the requested data or (in accordance with legal regulations) ensure the realization of your rights.

Regarding processing, you have the following rights:

Right to Withdraw Consent: If you have consented to the processing of your personal data for one or more specific purposes, you have the right to withdraw this consent at any time without affecting the legality of processing based on consent before its withdrawal.

Consent can be withdrawn by a written statement sent to the controller at one of the contacts listed on the website

Withdrawal of consent does not have any negative consequences or penalties for the individual. However, the controller may no longer be able to provide certain services after the withdrawal of consent for data processing, if the services cannot be provided without personal data (e.g., benefits club or personalized notifications).

Right of Access to Personal Data: As an individual, you have the right to obtain confirmation from the provider (controller of personal data) whether personal data concerning you is being processed, and if so, access to the personal data and certain information (about the purposes of processing, types of personal data, users, periods of retention or criteria for determining periods, the existence of the right to rectification or erasure of data, rights to restriction and to object to processing, and the right to complain to a supervisory authority, about the source of data if not collected from you, about the existence of automated decision-making, including profiling, its reasons and its significance and consequences for you, and other information in accordance with Article 15 of the GDPR);

Right to Rectification of Personal Data: As an individual, you have the right to have the provider promptly correct inaccurate personal data concerning you. Considering the purposes of the processing, you have the right to have incomplete data completed, including by means of providing a supplementary statement;

Right to Erasure of Personal Data (“Right to be Forgotten”): As an individual, you have the right to have the provider erase personal data concerning you without undue delay, and the provider must delete the data without undue delay when one of the following grounds applies:

(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,

(b) if you revoke your consent and there is no other legal ground for processing,

(c) if you object to the processing and there are no overriding legitimate grounds for the processing,

(d) the data have been unlawfully processed,

(e) the data have to be erased for compliance with a legal obligation in Union or Member State law to which the provider is subject,

(f) the data were collected in relation to the offer of information society services.

However, you do not have the right to erasure in certain cases described in paragraph 3 of Article 17 of the GDPR;

Right to Restriction of Processing: As an individual, you have the right to obtain from the provider restriction of processing where one of the following applies:

(a) if you contest the accuracy of the data, for a period enabling the provider to verify the accuracy of the data,

(b) the processing is unlawful and you oppose the erasure of the data and request the restriction of their use instead,

(c) the provider no longer needs the data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims,

(d) you have objected to processing pending the verification whether the legitimate grounds of the provider override your reasons;

Right to Data Portability: As an individual, you have the right to receive the personal data concerning you, which you have provided to a provider, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance from the provider to whom the personal data have been provided, where:

(a) processing is based on consent or on a contract, and

(b) the processing is carried out by automated means.

In exercising your right to data portability, you have the right to have personal data transmitted directly from one controller to another, where technically feasible;

Right to Object to Processing: As an individual, on grounds relating to your particular situation, you have the right to object at any time to processing of personal data concerning you which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the provider (Article 6(1)(e) of the GDPR) or is necessary for the purposes of the legitimate interests pursued by the provider or a third party (Article 6(1)(f) of the GDPR), including profiling based on those provisions; the provider shall no longer process the personal data unless the provider demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.

When personal data is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing; when you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

When data is processed for scientific or historical research purposes or statistical purposes, you have the right, on grounds relating to your particular situation, to object to processing of personal data concerning you, unless the processing is necessary for the performance of a task carried out for reasons of public interest;

Right to Lodge a Complaint with a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, as an individual, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes data protection regulations.

Without prejudice to any other administrative or non-judicial remedy, as an individual, you have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning you, and also in the case where the supervisory authority does not handle a complaint or does not inform you within three months on the progress or outcome of the complaint lodged. Proceedings against the supervisory authority are to be brought before the courts of the Member State where the supervisory authority is located.

An individual may address all requests regarding the exercise of rights concerning personal data, in writing, to the controller, using one of the contacts listed on the website

For reliable identification in the case of exercising rights related to personal data, the controller may request additional information from the individual, and may refuse to act only if it demonstrates that it is not possible to reliably identify the individual.

The controller must respond to the individual’s request regarding his/her rights related to personal data without undue delay and at the latest within one month of receiving the request.


Notification to the Supervisory Authority in Case of Personal Data Breach

In the event of a personal data breach, the provider is obliged to notify the competent supervisory authority unless it is unlikely that the breach has resulted in a risk to the rights and freedoms of individuals. If there is a suspicion that a criminal offense has been committed during the breach, the provider is obliged to notify the police and/or competent prosecutor.

If the breach may result in a high risk to the rights and freedoms of individuals, the provider is obliged to inform the affected individuals immediately or, if that is not possible, without undue delay. The notification to the individual must be made in a clear and understandable language.


Publication of Changes

Any changes to our personal data protection policy will be published on this website.