Recertification: 07/2020
ADMIRAL Casinos & Entertainment AG (ACE) proved that its IT-based service ADMIRAL-Card-System complies with EU data protection law. Customers of ACE (gamers) are provided with a card that allows them to enter the casinos. They may choose to register their fingerprints as an alternative means to open the turnstiles and to activate gaming machines. Their gaming behaviour is monitored for the purpose of prevention and combating of gambling addiction as required by Austrian law. Gamers can be sure that the processing of their personal data is in line with EU data protection law.
Product/Version
ADMIRAL-Card-System
Function as provided in June 2020
Qualification: IT-based service (controller service)
View the Admiral Card-System Certificate
Cert. No.
EP-S-XZ57BD
Version of Certification Criteria
Validity
24/07/2020 – 31/07/2022
Recertification No. 1: 17/02/2017
Initial certification on 29/10/2014
Monitoring
03/2021 (O.K.)
11/2021 (O.K.)
Public report
Recertification 2020: ADMIRAL-Card-System Short Public Report 
Recertification 2017: ADMIRAL-Card-System Short Public Report
Initial certification: ADMIRAL-Card-System Short Public Report 
Manufacturer/Provider
ADMIRAL Casinos & Entertainment AG (ACE)
Griesfeldstr. 15
2351 Wiener Neudorf
Austria
BEST
The ADMIRAL-Card-System adheres to the principle of data minimisation: The processed data are necessary to identify a visitor, to monitor his gaming habits in order to prevent / tackle gambling addiction, to recognise threats to gamers’ subsistence minimum due to excessive losses and to keep track of access bans to ADMIRAL casinos. Flyers with basic information about the ADMIRAL-Card-System are available in 11 languages.
ATTENTION:
The ADMIRAL-Card is a contactless smart card that is issued by ACE to visitors of its gambling casinos. It cannot be ruled out completely that a card’s ID is read out abusively and that a card is cloned by unauthorised persons with the aid of the intercepted ID. Since competent staff conducts a visual control of each person who wants to enter a casino, the risk of a successful abusive use of a cloned card is very low. Nevertheless, ACE advises visitors to purchase and use protective covers preventing an abusive readout of the card’s ID.
Summary
The ADMIRAL Casinos & Entertainment AG (ACE) operates entertainment casinos at several locations in Austria. As a consequence of fundamental amendments of the Österreichisches Glücksspielgesetz (federal law) and relevant federal state laws, high requirements regarding prevention of gambling addiction must be met by casino operators. ACE therefore developed the ADMIRAL-Card-System, based on the NOVOCARD-Ampelsystem that was awarded the European Privacy Seal back in 2011. The ADMIRAL-Card-System is a computer-assisted system with procedures for access control and countermeasures against gambling addiction that are based on the gaming behaviour of a person. Like its predecessor, the ADMIRAL-Card-System is based on the research results of the Department for Addiction Research & Treatment of the Medical University/General Hospital of Vienna.
The ADMIRAL Card-System is a step-by-step warning system for recognizing gambling addicts and imposing an access ban on them. Basis for the status of a data subject is the monthly screening process based on continuous monitoring of gambling behaviour.
Level GREEN signals “uncritical”, YELLOW “potentially endangered”, and RED equals “no more access”. The screening process distinguishes between age groups, namely age-group 1 with data subjects from 18 – 25 years and age-group 2 with data subjects ≥ 26 years. The amount of net losses is considered, for age-group 1 a threshold value of EUR 500,00 and for age-group 2 a threshold value of EUR 1.000,00 has been set. This calculation is carried out on the basis of net losses in the last three months. As an additional parameter, the number of days of attendance is considered, for age-group 1 a threshold value > 90 attendances and for age-group 2 a threshold of > 120 attendances per half year is set. When net losses reach the relevant threshold value, a credit screening is gathered. The data subject is informed about the fact that a credit screening is carried out as well as about the result.
Details
Recert 202007
Users may now register their fingerprints with ACE as an alternative means to open turnstiles and activate gaming machines. For details on this and any other changes, please cf. the Short Public Report.
Recert 201702
In January 2016, ACE shifted its headquarters from Gumpoldskirchen to Wiener Neudorf. This move did not only concern office spaces, but also server rooms / data centers that are used – among others – for the provision of the ADMIRAL-Card-System. The new server room is located in the basement of the new headquarters and run by ACE itself. The appropriateness of the technical and organisational measures that ACE implemented in respect of the new server room was evaluated by the EuroPriSe Experts during Monitoring No. 2 in March and April 2016. The experts found that the TOMs do indeed ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected as required by Article 17 of Directive 95/46/EC.
The recent re-evaluation that was conducted by the experts from 09/2016 until 01/2017 showed that ADMIRAL-Card-System continues to meet all applicable EuroPriSe requirements. Further information can be found in the short public report that is available here:
Initial Cert 201410
The ToE includes
- ADMIRAL-Card-System Services
− Registration and creation of the customer (card)
− Logging of times of attendance
− Logging of stakes
− Queries
− Issuing and cancellation of prevention of access or prohibition of entry
− Processing of log data
− Credit screening
− PEP-Check (“politically exposed person”) - Operation of own servers located at new headquarters (new in 02/2017 recertification)
- Interfaces of the ADMIRAL-Card-System
- Interface to the Federal Data Processing Centre
- Interface/connections to the internet
The ToE does not include
- Other processes carried out by the data processing centre
- Third party networks (e.g. internet)
- ACE-Hotline
Server housing at provider A1(new in 02/2017 recertification: not in use anymore)
- Video surveillance of the turnstiles
Technical Evaluator
Mag. Jürgen Stöger
c/o Secur-Data BetriebsberatungsgesmbH
Fischerstiege 9
1010 Wien
Austria
Legal Evaluator
Prof. Hans-Jürgen Pollirer
c/o Secur-Data BetriebsberatungsgesmbH
Fischerstiege 9
1010 Wien
Austria