Grand Casino Kursaal Bern AG
1. Quality management policy
The quality policy and objectives are determined by the Executive Board in connection with the annual business plan. They are implemented in the quality management system (QMS).
The Grand Casino Kursaal Bern AG (GCKB) quality policy is based, among other things, on the following:
- The company’s corporate guidelines
- The results of the self-evaluation
- Internal and external quality assurance
- The expectations of our customers and society
- Financial possibilities
- Employee expectations
- Our mission statement
- Market developments
- Framework conditions of the quality policy and objectives:
- Compliance with all relevant laws
- Certification in accordance with ISO 9001:2015
- Analysis and further development of existing structures and workflows
- Optimisation of service provision
- Transparent planning and structuring of all efforts/processes related to coordination and provision of services
- Improvement of internal communication
- The objectives of the GCKB quality policy are:
- To operate the casino (both sales channels) in a lawful manner on the basis of the QMS
- To perfectly and efficiently operate the casino on the basis of the QMS, and therefore achieve a high level of customer satisfaction and company profit
- To use ISO 9001:2015 as a tool for the creation of a coherent QMS and for its optimisation
In a time in which ever-stricter requirements are placed on our services and competition continues to grow, the importance of quality as a competitive factor increases accordingly. For this reason, the Executive Board unreservedly acknowledges the vital role that quality plays in the company and has formulated our quality objectives in the following guiding principle: Quality is not something that happens automatically; it is something that each and every employee needs to work hard for every single day.
2. Information security policy
Initial situation
GCKB has been certified in accordance with ISO 27001:2013 and is committed to meeting the requirements of this standard. The scope of this certification covers all business activities and processes at all locations.
Objectives of information security
GCKB has defined the following objectives:
- Suitable protection of information and assets with regard to availability, confidentiality and integrity
- Compliance with legal, contractual and internal requirements in terms of information security
- The use of ISO 27001 as an everyday tool for quality assurance and the ongoing development of the company
The ISMS of the Grand Casino Bern
All processes and rules that serve to guarantee the information security of GCKB with regard to its stakeholders are contained in GCKB’s information security management system (ISMS). The ISMS is communicated to employees on an ongoing basis. Employees are also trained in accordance with their roles and responsibilities. The application of these guidelines is mandatory and binding.
Continuous improvement
The GCKB ISMS is regularly reviewed and adapted based on the current circumstances. In the interest of continuous improvement, the competencies of all concerned departments are further developed on an ongoing basis.
Organisation and responsibilities
Executive Board
The Executive Board is the highest operative decision-making body within the company and delegates tasks, responsibilities and competencies in terms of information security to the CISO.
Internal employees/general
All GCKB employees who perform tasks within the scope of the ISMS are responsible for information security in their respective departments. The superiors at all hierarchy levels are obligated to provide the necessary resources and skills. They are obligated to sustainably implement all necessary security measures within the scope of their area of responsibility. They instruct and train their employees as needed.
CISO
The Chief Information Security Officer (CISO) is responsible for the creation and definition, monitoring, management, operation and continuous improvement of the ISMS. He or she reports to the Executive Board and works together with the Head of Security in the area of physical security.
Asset owners
Asset owners define rules for the permitted use of the information and assets provided by them, document these and implement them.
Risk owners
Risk owners guide the process for information security risk evaluation and management for their assigned risks. They analyse and evaluate the risks and define the appropriate measures.
Supplier manager
The supplier manager organises and operates the interface between the suppliers assigned to him or her and the internal organisation.
Head of Physical Security
Due to regulatory requirements, separate personnel is to be responsible for physical security and for information security. Within the context of information security, the Head of Physical Security works on behalf of the CISO.
Audits
GCKB reviews information security with scheduled internal and external audits that are performed at regular intervals. The results of these audits are integrated into the continuous improvement measures.
Penalties
GCKB agrees upon contractual penalties with third parties that may come into effect in the event of repeated or one-time serious violations of the security regulations and directives. If internal employees violate the security regulations and directives, labour-law penalties will be introduced.
Definitions
Information security: Information security is defined as all measures that are introduced, implemented, reviewed and continually improved for the purpose of upholding the confidentiality, integrity and availability of information. These measures can be organisational, technical or structural in nature.
- Confidentiality: guarantee that only authorised persons can access information
- Integrity: safeguarding the soundness and completeness of information and methods used to process said information
- Availability: guarantee that authorised users will be granted needs-based access to information and the corresponding assets
Information security management system (ISMS): An ISMS is defined as:
- All rules, processes and workflows within an area of application that define, manage, implement, audit, maintain and continually improve information security.
- These are documented in accordance with the ISMS framework, with statement of applicability (SoA) controls, and with the corresponding policies, process overviews and additional supporting documents.
Chief Information Security Officer (CISO): The CISO is responsible for information security within his or her assigned area of responsibility.
3. Data Privacy Policy
GCKB Data Privacy Policy
We, Grand Casino Kursaal Bern AG (GCKB), are a private-law gambling firm headquartered in Bern. We are responsible for data processing in connection with the operation of the casino (online and land-based) and the processing of our employees’ data.
The objective of this Data Privacy Policy is, in particular, compliance with and implementation by GCKB of the legal requirements in terms of data protection, both internally and externally.
The central idea of our Data Privacy Policy is compliance with all relevant legal requirements and compliance with and further development of all of the requirements and guidelines of the DPMS. As a result of many of our activities, we gain access to the personal data of our guests and employees. For this reason, we are committed to respecting the privacy of all of our guests and, in particular, to protecting them against improper processing of their data and to guaranteeing their legal rights. For this reason, we comply with the following relevant laws and ordinances, in particular:
- Swiss Gambling Act (Geldspielgesetz – BGS)
- Swiss Gambling Ordinance (Geldspielverordnung – VGS)
- The Swiss Federal Department of Justice and Police (FDJP) Gambling Ordinance (Spielbankenverordnung des Eidgenössischen Justiz- und Polizeidepartements (EJPD) – SPBV-EJPD)
- Anti-Money Laundering Act (Geldwäschereigesetz – GwG)
- Anti-Money Laundering Ordinance (Geldwäschereiverordnung EJPD – GwV-EJPD)
- Ordinance of the Swiss Federal Gaming Board (FGB) on the Diligence of Casinos in Combating Money Laundering and the Financing of Terrorism (Anti-FGB-Money Laundering Ordinance; Geldwäschereiverordnung der Eidgenössischen Spielbankenkommission (ESBK) – GwV-ESBK)
- Data Protection Act (Bundesgesetz über den Datenschutz – DSG)
- Ordinance to the Federal Act on Data Protection (Verordnung zum Bundesgesetz über den Datenschutz – VDSG)
- Swiss Code of Obligations (Obligationenrecht – OR)
- Swiss Telecommunications Act (Fernmeldegesetz – FMG)
- Federal Act on Unfair Competition (Bundesgesetz gegen den unlauteren Wettbewerb – UWG)
By complying with this Data Privacy Policy, we ensure that the data is processed in accordance with the legal and contractual basis of GCKB and we protect the identities and fundamental rights of our guests as well as our employees in accordance with the relevant legal provisions.
Moreover, we implement processes intended to safeguard the rights of all persons affected. For this reason we do our best, in particular, to provide individuals with information on the personal data we have processed within the legally defined time limit.
We make sure that all employees receive the information that is necessary for their work and also receive appropriate training based on their role and area of responsibility.
We have designed and protect our IT system so that we can provide our services to our guests and employees while appropriately guaranteeing the confidentiality, integrity and availability of their data.
GCKB's DSMS is reviewed annually and adapted to the current legal requirements
The Board of Directors and the Executive Board bear the overall responsibility for data protection, provide appropriate means for compliance with data protection requirements, and are responsible for suitable auditing and monitoring of data protection.
Every employee is responsible in their respective role for creating and upholding the necessary and appropriate framework conditions for data privacy and data security.
GCKB has appointed an operational Data Protection Officer and registered this individual with the Swiss Federal Data Protection and Information Commissioner (FDPIC). The Data Protection Officer helps the Executive Board in an advisory capacity with the establishment and maintenance of the conformity of data processing with the applicable legal data protection requirements as well as any additional legal requirements or other binding obligations that are relevant for data processing.
The Information Security Officer helps the Executive Board in an advisory capacity with regard to monitoring, compliance with and further development of the information security measures. He or she recommends corrective measures in the event that information security standards are breached. If necessary, he or she works together with the responsible authorities and the Data Protection Officer.
Grand Casino Kursaal Bern AG, 8 May 2020