Privacy Policy

Welcome to our Privacy Policy. It is very important for us to keep you informed on how we handle and keep your data safe. This policy will give you information on:


  • What kind of personal data we collect
  • How we collect your personal data
  • Why we collect your personal data
  • How long we keep your data
  • Your privacy rights

1. Who we are

1.1. CASINO RODOS S.A. (hereinafter referred to as “CRSA”) is a shareholder structure divided as follows:

National Shareholders:


  • Aenias S.A.
  • Roslyn Geronikolas

International shareholders:


  • Avalon B.V.
  • Shopson LTD
  • Isis Pharma LTD

with Τax ID Number 094434871 (Tax Office of Rhodes).

1.2. This privacy policy issued on behalf of CASINO RODOS S.A (CRSA). CRSA is the data controller responsible for and in charge of the data.  So when we say ‘we’, ‘us’, or ‘our’ in this policy we are actually referring to CRSA.

2. How to contact us

An appointed Data Protection Officer (“DPO”) is responsible for overseeing your questions in relation to this privacy policy. If you have any questions about this policy, please contact our DPO at:  Email:

Address: 4, Georgiou Papanikolaou str., Rhodes, Greece 85 131

Telephone: +30 2241097400

3. Definitions

“Registered Customer” means a person who has registered with the CRSA upon first entry to the Casino and who has been given an entry status upon first visit;

“Service” means the availability and provision of the games that enables you to Participate and any other service or product offered by CRSA;

“We/Us/Our” means CRSA, in all matters pertaining to the Games, together with (where context permits) its holding companies and subsidiaries;

“You/Your” and also referred to as “Player”, means any person who enters the Casino and Participates in any game provided by CRSA.

“Data processing”: processing’ means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3. What types of personal information we collect

3.1. Mandatory Customer Data

3.1.1. You will be required to submit a valid photo identification proving your age (minimum age requirement is 21 years) and address upon entering the Casino. Acceptable identification documentation includes, but is not limited to, a current and valid passport, driving license or ID card.

3.1.2. When you visit the Casino for the first time we provide you with a membership application form via electronic tablet that you need to fill in and sign in order for CRSA to issue you a digital member card, also known as Player Member Card. As required by law (Law 2206/1994 and Casino Regulation No. 303/5/27.02.2018) we collect the following types of data:


  1. First name / Surname
  2. Father’s name
  3. Date of birth
  4. Nationality
  5. Type & Number of ID form (ID or Passport or driving license)
  6. Full-stated address
  7. Landline/ Mobile phone
  8. Profession
  9. Email address

3.1.3 Besides the above details during the registration process we take a digital photo of you.

3.1.4. Αs required by law, we maintain records with the following types of data:


  1. Number of visitors
  2. Dates of entry
  3. Memberships and new memberships
  4. Loyalty program participants
  5. Banned player data (including names and other personal information)
  6. Exclusion event history, violation attempts, revocations etc.
  7. Complaints records (including complainant’s name, ground of complaint, CRSA response etc.)

Please note that you may at any time request banning from the Casino. You or your family members (children and spouse) can ask for a temporary banning from CRSA according to the provisions of the law. If you ban yourself temporarily you will not be able to enter the Casino during the entire duration of the banning period according to the provisions of law.

3.2. Loyalty Programs & Player Member Card

3.2.1. CRSA has created a particularly attractive Loyalty Program which enables its members to earn points according to their gaming activity and to redeem them against a variety of benefits. Upon your first registration and the issuing of your Membership Card you automatically qualify for our Loyalty Program. You earn points as long as you play in one of our slot machines using your Membership Card inside the machine, and as long as your gaming activity at one of the live games tables is tracked by CRSA staff. The points earned on your card are valid for redemption until December 31st of the respective year, on which date they expire regardless of how many points have been redeemed by that date.

3.2.2. Player Member Card

For the protection of your privacy your Player Member Card bears no information on it. The card itself does not record any personal information but if used in our electronic systems it can provide access to the following information:


  1. Dates, number of entry to the Casino
  2. Credit purchase history, cash-in cash outs
  3. Gaming history (applies mainly to slot machines)
  4. Loyalty program points earned
  5. Banning/exclusion history
  6. Entrance history to Casino’s parking area

As long as you use this Card, CRSA automatically tracks your gaming activity and specifies your membership status as explained below.

3.3. Membership Benefits

3.3.1. CRSA provides a 3-tier membership scheme (Bronze, Silver, Platinum level) based on your Loyalty Program management and your overall gaming activity. CRSA collects your gaming activity data either manually from table games or automatically through the Player Membership Card used in the slot machines.

3.3.2. For a comprehensive overview of our Loyalty scheme and Membership benefits see below:



CRSA focuses on your most recent gaming activity, namely your last three months.

3.4. Other Information Related to Customers

3.4.1. As provided by law and relevant regulative provisions, we are required to record 24/7 all main and side areas of CRSA on audiovisual files (CCTV footage) except the WC area and the employees’ relaxing areas. These files ensure the proper gaming activity, the accuracy of all cash transactions and the overall gaming control and public order.

3.4.2. For the same reason we may also record car plates when cars enter the CRSA parking area.

3.4.3.  We also keep track of all marketing communication activities as required by law.

4. Why do we collect your data?

4.1. We collect your data:


  1. To register and verify your identity details in order to allow you to enter CRSA and to offer you our gaming services as required by law and any other regulation
  2. To perform our gaming services subject to the contract that we will enter into or we have entered into with you upon your registration
  3. To provide information to the competent authorities, such as the Hellenic Gaming Commission (hereinafter called “EEEP”) as required by law and relevant regulative provisions
  4. To identify your gaming activity and provide you with customized offers, benefits and privileges according to your Membership Status, on condition that your interests or personal rights do not override our legitimate interest to personalize our goodies. The base of this reason is the implementation of our contractual obligations and our legitimate interest (Know Your Customer, Loyalty Program, maintain memberships)
  5. To deliver related statistical insights for better contract performance and to understand better your overall gaming activity, preferences and patterns following our legitimate interest and according to the law
  6. For filing purposes as required by law and relevant regulative provisions following our legitimate interest
  7. For safety and security reasons as required by law and relevant regulative provisions
  8. For direct marketing purposes as allowed by the law (Law 3471/2006) using the communication channel (email/SMS/WhatsApp/Viber) through which you have selected to be contacted on our service provision ground. More specifically, as long as we provide you with our services on a service provider – customer basis we may use your personal data such as your email address to contact you with CRSA’s newsletters, marketing or promotional material and other information that may be of interest to you. You may opt out at all times very easily simply by following the “Unsubscribe” link or any other opt-out options we provide
  9. For further communication in regards to other events and information about our hotel and restaurant or to send you an evaluation form, upon your explicit consent. This communication refers mainly to our Restaurants, the Hotel Grande Albergo delle Rose and events (eg. concerts, etc.) that take place in our premises. Υοu may withdraw your consent or modify your preference at any time simply by using one of the tablets at the Reception desk or by following the “Unsubscribe” link or any other opt-out options we provide

4.2. We will only use your personal data on the lawful ground and purpose for which we initially collected it, unless we reasonably identify other lawful purpose, in principle compatible with the original purpose. If you wish a detailed explanation of the ground on which the processing for the new purpose is compatible with the original purpose, please contact us at In the event that we need to use your personal data for an unrelated purpose, we will notify you explaining in detail the legal ground that allows us to do so.

5. Our rules for collecting your data


  1. We only use the data as required by law in order to implement our contractual obligations and fulfill the legitimate interest of our company to manage the membership benefits, execute the loyalty program and get a better knowledge of our client base.
  2. We meet the GDPR requirements in the country where we provide you with a service via our website, our applications and our on-property services.
  3. We keep data that we are legally required to remain on record in the context of the implementation of our contractual obligations and our legitimate interests, including gaming activity.
  4. We fully explain why we need the data and how we will use it (unless we have legitimate reason not to provide this explanation).
  5. We check and update privacy information on a regular basis (we might also cross-check the data against other database to ensure its accuracy).
  6. We do not share data with any third party(ies) unless we have a legal or legitimate reason, or we have your consent to do so.

6. With whom may we share your personal data?

Categories of data recipients:


  1. Official authorities under a legal obligation like:
    1. The Hellenic Gaming Commission (hereinafter called “EEEP”)
    1. Following a legal obligation or authoritative enforcement of any kind
    1. Courts, governmental authorities and related regulatory bodies
  2. Our affiliated companies and shareholders
  3. With any third party subject to your consent

We share no data with any third party whatsoever. 

7. How long do we hold your data?

7.1. We hold all mandatory data for at least 10 (ten) years, starting from the day following their latest modification, in accordance with the Law and relevant regulative provisions.

7.2. We hold loyalty programme data for the entire duration of the programme

7.3. We hold memberships, gaming activity history, insights and statistics for an infinite period of time.

8. Information about your rights

8.1. As a Player you have certain rights concerning the processing of your personal data. However, these rights are subject to the legislative and regulative restrictions. More particularly you are entitled to the following rights:


  1. Right to information. CRSA shall respond to any query regarding your personal data in a concise, transparent, intelligible manner, written in clear and plain language.
  2. Right to access all personal data you provide to CRSA, in printed or in electronic form free of charge and all related information, like purposes of processing, types of personal data concerned and time of processing. For further information in regard of Subject Access Requests see our Subject Access Request Policy (Article 9 below).


  1. Right to amend any inaccurate or outdated data, or to complete any incomplete data where permitted by the law and relevant regulative provisions.
  2. Right to receive or ask CRSA to transfer your data further in a structured, commonly used machine-readable format, also known as data portability right. This right applies namely to all mandatory data you have provided to us and to your gaming activity data.
  3. Right to have your personal data deleted, on condition that:
    1.  CRSA has no legal obligation to do otherwise;
    2.  There is no overriding legitimate ground for further processing;
    3.  The personal data was unlawfully processed (ie in breach of the General Data Protection Regulation);
    4. The personal data has to be erased in order to comply with a legal obligation;
  4. Right to restriction of any data processing activities in the event that you dispute the accuracy of the data involved and CRSA has not yet verified this accuracy. Individuals have a right to restrict the processing of their personal data. When processing is restricted, we are permitted to store the personal data, but not further process it. CRSA will retain just enough information about the individual to ensure that the restriction is respected in future.
  5. Right to objection at any time regarding:
    1. The points you have earned in the loyalty program
    2. Your membership status
    3. Your overall gaming activity
  6. Right not to be subject to a decision based solely on automated processing. This right refers namely to your membership status.

8.2. All rights can be exercised by submitting a written or electronic request to the Reception of the Casino free of charge (e-mail: at all times.

8.3 CRSA shall respond within thirty (30) calendar days of submission of the request unless further actions need to be carried out.

8.4. CRSA reserves the right to verify the identity of the person making the request, asking for an official stamp from KEP or from a police station proving the authenticity of the signature of the person who submits the request.

8.5. In any case, you may submit a complaint to the Greek Data Protection Authority (

9 Subject Access Request Policy

9.1. When dealing with a subject access request, CRSA will provide a copy of the information free of charge. However, CRSA may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive or for requests that require multiple copies.

9.2. Information will be provided without delay within one month of submission of the request. In the event of multiple or complex Subject Access Requests, CRSA may extend its response period by one additional month providing explanation for this delay.

9.3. In the event that CRSA refuses to respond to a Subject Access Requests, CRSA shall explain the reasons of denial. By receiving such a response you may submit complaints to the supervisory authority and to a judicial remedy without undue delay and within one month at the latest.

9.4. CRSA reserves the right to verify the identity of the person who submits the request, using ‘reasonable means’. If the request is made electronically, CRSA will provide the information in a commonly used electronic format.

9.5. In the event that CRSA processes a high volume of data of the person who submitted the request, it reserves the right to ask for detailed specifications and/or additional information regarding the submitted request. The GDPR does not include an exemption for requests that relate to large amounts of data, but we may be able to consider whether the request is manifestly unfounded or excessive.

10. Complaints about our behavior

10.1. You have the right to submit a complaint if you believe that CRSA has not properly implemented its obligations regarding the protection of your personal data.

10.2 We have assigned a Data Protection Officer, who will take your complaint very seriously. You can contact our Data Protection Officer on this emai:   We will send you a confirmation within 5 days  of receiving your complaint and will take all necessary steps to deal with the issue within 30 days. However, if the issue is particularly complex or requires further actions, we may need additional time for which we will keep you updated.

10.3. Additionally, you are entitled to submit a complaint to the authorities, but because we take privacy matters very seriously, we would really appreciate it if you first talked to us.

You can complain about:


  1. How your personal data has been processed
  2. How your request for access to data has been handled
  3. How your complaint has been handled
  4. Appeal against any decision made following a complaint

11. How we communicate with you

11.1. If you have provided us with your contact information (mail address, fax number, email address or phone number), we may want to inform you about our services, our promotions and our offers or send you our news according to the preferences that you have specified, via email, online advertising, social media, WhatsApp, telephone, text message (including SMS and MMS), postal mail, our customer service call center, and other means.

11.2. If you prefer not to receive email-marketing materials from us, you may opt-out at any time by using the unsubscribe function in the email you receive from us or by informing our Reception desk by calling +30 22410 97425.

12. Overseas Transfers of Your Personal Data

12.1. Your personal data will be stored in our local data server. Your personal data will not be transferred to countries outside of the EU. In case we need for any reason to transfer your data, we will only do so to countries that meet the minimum requirements of adequate or comparable levels of protection in order to protect personal data held in that jurisdiction, and (where we are required to do so) with your consent.

12.2. In case your personal data is transferred from within the EU to outside of the EU, we use Model Clauses, ensuring that such data transfers are compliant with applicable privacy legislation.

12.3. The information you provide to us may be given to our third party service suppliers outside of the European Economic Area for the purpose of delivering the personalized services and communications stated above. We will always take steps to ensure that your information is used by third parties in accordance with this Privacy Notice and that your information is kept secure at all times. In particular, in relation to any transfer to a third party in a country that is not subject to an adequacy decision by the EU Commission, such transfer will be appropriately protected through mechanisms such as EU Commission approved standard contractual clauses, an appropriate Privacy Shield certification or Binding Corporate Rules. A copy of the relevant mechanism can be provided by our reception desk for your review upon request.

13. Changes to our Privacy Policy

From time to time we may make changes to this Policy in order to comply with changes in the law or to provide better practice, or because of changes in the way we provide our services or we collect and use your personal information. We will always display clearly when the Policy was last updated and, wherever possible, we will notify you of any relevant changes.

Latest update: 11 October 2019