- Back to Overview
- Background Reading
- Gamble Safely
- Privacy Policy
- Terms and Conditions
- Payouts
- About us
- Ask us
Background Reading > Privacy Policy
LOTTOLAND
PRIVACY POLICY
Last Updated: 29th May 2024
Navigating this Policy
Welcome to Lottoland’s Privacy Policy.
If you are viewing this Privacy Policy online or on PDF, you can click on the below links to navigate to the relevant section:
- INTRODUCTION & SCOPE OF THIS PRIVACY POLICY
- Lottoland respects your privacy and is committed to protecting your personal data. This privacy policy (this “Privacy Policy”) tells you about how we look after your personal data when you visit our website(s) or use our app(s) (regardless of where you visit it from) or you interact with us or our services.
- This Privacy Policy aims to give you information on how Lottoland collects, stores and processes your personal data, along with details of your rights as a data subject. It is important that you read this Privacy Policy alongside our Cookies Policy and any other privacy or fair processing notice we may provide on specific occasions when we are collecting or processing personal data so that you are fully aware of how and why we are using your data.
- This Privacy Policy is directed at users of our website(s) and our customers (accountholders).
- In this Policy, “Personal Data” means any information relating to you as an identified or identifiable natural person (“Data Subject”) as a “natural person”; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an online identifier or to one or more factors specific to your physical, physiological, genetic, mental, economic, cultural or social identity (i.e. natural persons are human beings and this expression includes living individuals but excludes corporate or legal entities, trusts or legal arrangements). Certain jurisdictions may also use the expression “Personal Information” (or other similar expression) in a similar manner in accordance with local laws, the underlying principles set out in this Policy will nonetheless apply to the collection, use and/or retention of any such data. For the avoidance of doubt, Personal Data does not include data from which you cannot be identified (which is referred to simply as data, non-personal data, or anonymous/anonymised data).
- In this Policy, “processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination of Data, or the restriction, erasure or destruction of same. Likewise, “process” shall be interpreted accordingly.
- References to “special categories” of Personal Data means Personal Data concerning/revealing in respect of natural persons:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data for the purpose of uniquely identifying a natural person;
- health; or
- sex life or sexual orientation
- References to Personal Data relating to “criminal convictions and offences” includes the alleged commission of offences, proceedings in relation to such offences or the disposal of such proceedings, including sentencing.
- If and when we Lottoland, determine the purposes and means of processing of your personal data, then we are a “controller”, and anyone who acts on our instructions in respect of such processing is a “processor”. There may be times where we act as controller and processor.
- We offer our services in or from within Gibraltar, which is no longer part of the European Union (“EU”). Accordingly, Gibraltar has its own data protection laws that apply certain EU laws (with necessary modification). This is referred to as the “Data Protection Legislation”, which includes:
- The Data Protection Act 2004 (as amended)(“DPA 2004”), and regulations made under that Act; and
- The “Gibraltar GDPR”, which is essentially the EU’s General Data Protection Regulation or (Regulation (EU) 2016/679, or the “EU GDPR”) as it forms part of Gibraltar law. This basically means it is read slightly differently to the EU GDPR but still offers privacy protections and guarantees in a similar manner.
- If you live or work outside of Gibraltar, other laws, including the EU GDPR, may be applicable to your individual circumstances. The EU GDPR applies to the processing of personal data of data subjects who are in the EEA by a controller or processor not established in the EEA, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
- References to the “EEA” are to the European Economic Area which includes all Member States of the European Union, as well as Norway, Iceland and Liechtenstein, and for the purposes of this Privacy Policy should be interpreted in accordance with references to “the Union” in EU GDPR and similar legislation.
- WHO WE ARE AND HOW TO CONTACT US
- Lottoland is made up of different legal entities including Lottoland Holdings Limited. This Privacy Policy is issued on behalf of the Lottoland Group (which includes Lottoland Holdings Ltd, its parent company and subsidiaries) so when we mention “Lottoland”, “we”, “us” or “our” in this Privacy Policy, we are referring to the relevant company in the Lottoland Group responsible for processing your data. The data controller of your personal data is Lottoland Holdings Limited, a private company limited by shares incorporated in Gibraltar, and subject to Gibraltar law, having its registered office at Suite A, Ocean Village Promenade, Ocean Village, Gibraltar GX11 1AA.
- We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your rights as a data subject (as detailed in this Privacy Policy), please contact the DPO using the details set out below.
Lottoland
Suite A
Ocean Village Promenade
Ocean Village
Gibraltar, GX11 1AA
Email: [email protected] - The Lottoland Group also offers its services within the EEA and outside of the EEA. In accordance with Art. 27 EU GDPR, Lottoland Holdings Limited, as controller, has designated a representative in the EEA (“EU representative”). You can contact our EU Representative to exercise your rights under the EU GDPR or to discuss any sort of data protection issue relating to services provided to you if you are outside of Gibraltar. Our EU Representative is:
Instant EU GDPR Representative Limited
Office 2, 12A Lower Main Street
Lucan, Co. Dublin
K78X5P8
Ireland
Tel: +353 1 5549700
Support website: https://lottoland.gdprlocal.com/eu
Email: [email protected] - In accordance with Art. 27 UK GDPR, Lottoland Holdings Limited, as controller, has designated a representative in the United Kingdom (“UK representative”). You can contact our UK Representative to exercise your rights under the UK GDPR or to discuss any sort of data protection issue relating to services provided to you if you are based in the United Kingdom. Our UK Representative is: GDPR Local Ltd
1st Floor Front Suite
27-29 North Street
Brighton
BN1 1EB
Tel: +44 1772 217800
Support website: https://lottoland.gdprlocal.com/uk
Email: [email protected] - See further information at section 11 of this Privacy Policy on your rights as a data subject.
- THE DATA WE COLLECT ABOUT YOU
- We may collect, process, store and transfer different kinds of personal data about you which we have grouped together into “categories” of Personal Data as follows:
- Identity Data includes: first name, last name, username or similar identifier, title, date of birth, gender, nationality, tax identification numbers, employment/occupation or business activity details (which may include employment history).
- Contact Data includes: address, email address and telephone numbers.
- Financial Data includes: bank account, payment card details, alternative payment methods, and in limited cases may also include salary and employer/source of income/funds and/or affordability information.
- Transaction Data includes: details about payments to and from you and other details of bets placed, games played, and products purchased from us.
- Technical Data includes: internet protocol (IP) address, your login data, unique device identifiers, browser type and version (including search engine as well as the keywords used to find the website(s)), operating system and/or platform used, time zone setting and location, browser plug-in types and versions and other technology on the devices you use to access our products and games. Such information may be required by us in the event of attacks on our information technology systems, but is generally anonymised or de-identified and therefore will not constitute your Personal Data unless you can be identified from the same. Further information on Technical Data collected is found in our Cookie Policy.
- Profile Data includes your username and password (the latter which is encrypted and securely stored), purchases or orders made by you, your interests, preferences, feedback and survey responses.
- Usage Data includes information about how you use our website/app, bets placed, products and games played.
- Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences
- We also collect, use and share Aggregated Data such as statistical or demographic data. Aggregated Data may be derived from your personal data but is not considered personal data as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature.
- We may also ask you to provide evidence of your identity such as asking for a copy of your passport, driving licence, proof of residence or income or any relevant identification card or national ID. We are required to ask for this information to comply with anti-money laundering, counter-terrorist financing or counter-proliferation financing (“AML/CFT/CPF”) legislation such as the Proceeds of Crime Act 2015 and applicable legal and regulatory guidance, to comply with relevant requirements and/or ensure that we safeguard against and report any suspicious activity whether within Gibraltar or within your specific location.
- We will not generally process any “special categories” of data unless required to do so by law or in compliance with our legal and/or regulatory obligations or in cases where you have provided your explicit consent or where we are lawfully permitted to do so without your consent (including e.g. personal data which is manifestly made public by you).
- We will not generally process Personal Data relating to criminal convictions and offences, unless required to do so by law (e.g. in the context of our AML/CFT/CPF obligations where we run background checks and identify previous convictions in the media/open sources or from background checks carried out by us or using third party providers/services).
- We may collect, process, store and transfer different kinds of personal data about you which we have grouped together into “categories” of Personal Data as follows:
- HOW YOUR PERSONAL DATA IS COLLECTED
- We use different methods to collect data from and about you including the following. Direct interactions
- You may give us your Identity Data, Contact Data and Financial Data by filling in forms or by corresponding with us by post, phone, email, chat or otherwise. This includes Personal Data you provide when you:
- place a bet with us or play a game;
- create an account with us;
- request marketing to be sent to you;
- enter a competition, promotion or survey; or
- give us some feedback; or
- make a complaint.
Automated technologies or interactions
- As you interact with our website(s)/app(s), we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this information by using cookies, and other similar technologies (such as Google Analytics). We may also receive Technical Data about you if you visit other websites employing our cookies. Further information on our use of cookies and similar technologies is found in our Cookie Policy. In addition, we may also use automated technologies that make use of artificial intelligence, and further information on this is contained at section 8 of this Privacy Policy Third parties or publicly available sources
- We may also receive Personal Data about you from various third parties (including regulatory or statutory bodies, self-exclusion schemes, crime prevention agencies, credit or ID verification services and/or publicly available sources and utilise this information for things like carrying out further identification and/or integrity checks to minimise fraud, cheating or money laundering risks to the business.
- HOW WE USE YOUR PERSONAL DATA
- We will only use your personal data when the law allows us to. Most commonly, we will use your Personal Data in the following circumstances:
- where we need to perform services under the contract we are about to enter into or have entered into with you;
- where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
- where we need to comply with a legal or regulatory obligation; or
- with your consent.
- Generally, we do not rely on consent as a legal basis for processing your personal data other than in relation to sending direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us on [email protected] or by changing your marketing preferences in the My Account section of your account, or clicking on the “unsubscribe” option within the marketing concerned. Purposes for which we will use your Personal Data
- We have set out below, in a table format, a description of the main ways we may use your Personal Data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. Note that we may process your Personal Data for more than one lawful ground depending on the specific purpose for which we are using your data:
Purpose/Activity Type of data Purpose/Activity To register you as a new customer and manage and administer our relationship with you.
To verify your age and to ensure you are not gambling from a restricted country.- Identity
- ContactPerformance of a contract with you
Necessary to comply with a legal obligation
Necessary for our legitimate interestsTo process your bet and to enable you to play games including:
(a) manage payments from you, and pay you winnings
(b) collect and recover money owed to us including any fees and charges- Identity
- Contact
- Financial
- Transaction
- Marketing and CommunicationsPerformance of a contract with you
Necessary for our legitimate interests (to recover debts due to us)To manage our relationship with you which will include:
(a) notifying you about changes to our terms and conditions or privacy policy;
(b) asking you to leave a review or take a survey; or
(c) to enable you to interact with our Customer Care team via email, phone and live chat.- Identity
- Contact
- Profile
- Marketing and CommunicationsPerformance of a contract with you
Necessary to comply with a legal obligation
Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)To enable you to partake in a prize draw, competition or complete a survey - Identity
- Contact
- Profile
- Usage
- Marketing and CommunicationsPerformance of a contract with you
Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)To administer and protect our business and the security of our website(s)/app(s) (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) - Identity
- Contact
- TechnicalNecessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
Necessary to comply with a legal obligationTo deliver relevant website(s)/app(s) content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you - Identity
- Contact
- Profile
- Usage
- Marketing and Communications
- TechnicalNecessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy) To use data analytics to improve our website/app, products/services, marketing, customer relationships and experiences - Technical
- UsageNecessary for our legitimate interests (to define types of customers for our products and services, to keep our website/app updated and relevant, to develop our business and to inform our marketing strategy) To make suggestions and recommendations to you about our products and offers or promotions that may be of interest to you and to carry out direct marketing - Identity
- Contact
- Technical
- Usage
- Profile
- Marketing and CommunicationsNecessary for our legitimate interests (to develop our products/services and grow our business) Marketing and Promotional offers from us
- We strive to provide you with choices that are relevant to your interests and a personalised online experience, so you can receive offers or products that are relevant for you, in accordance with your marketing preferences. We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. We then tailor our promotions or marketing material and contact you directly in order to offer these to you. This is known as “direct marketing”. You will receive direct marketing communications from us if you have opened an account with us, placed a bet or played a game or if you provided us with your details when you entered a competition or registered for a promotion and, in each case, you have not unsubscribed from receiving marketing communication, or self-excluded from gambling with an industry scheme. See the section 11 of this Privacy Policy for further information on your rights, in relation to direct marketing, and further information on opting-out. Third party marketing
- Third parties (i.e. companies and/or service providers outside of the Lottoland Group) may wish to market their services to you. We will get your explicit consent (i.e. ask you to opt-in) before we share your Personal Data with any company outside the Lottoland Group of companies for third party marketing purposes. Any marketing you subsequently receive from them is/will be subject to that third party’s own privacy policy. If you fail to provide Personal Data
- Where we need to collect Personal Data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to terminate your account or cancel a bet you have placed with us.
- We will only use your personal data when the law allows us to. Most commonly, we will use your Personal Data in the following circumstances:
- DISCLOSURES OF YOUR PERSONAL DATA
- We may have to share your personal data with the following recipients or categories of recipients set out below for the purposes set out in the table in section 5 of this Privacy Policy:
- Other companies in the Lottoland Group acting as joint controllers or processors and who provide customer services, IT system administration services and undertake leadership reporting.
- Identification verification agencies and fraud prevention agencies used to provide customer due diligence including, money laundering, fraud, sanction checks in the context of our AML/CFT/CPF or responsible gambling obligations.
- If you are based within the UK, when we check your identity when you first become a customer, or check your financial status as required by our regulatory obligations, we may share information with a third-party verification provider and/or credit reference agency and this will leave a “soft” footprint on your credit file.
- External third parties to provide marketing and promotional services on our behalf.
- Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Policy.
- Service providers who provide IT and system administration services.
- Professional advisers, including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services to Lottoland.
- Regulators and other authorities who require reporting of processing activities in certain circumstances.
- We require all third parties to respect the security of your Personal Data and to treat it in accordance with the law. We do not allow our third-party service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions, as our processors (defined above). However, in limited circumstances and with your explicit consent, we may share your Personal Data with specific third parties as notified to you from time to time, who may wish to market their services to you.
- We may have to share your personal data with the following recipients or categories of recipients set out below for the purposes set out in the table in section 5 of this Privacy Policy:
- INTERNATIONAL TRANSFERS
- We share your personal data within the Lottoland Group of companies and third-party service providers. This may involve transferring your data outside of Gibraltar and/or the EEA which is known as a third country transfer or a “restricted transfer”. For the purposes of Gibraltar GDPR, a “third country” means a country or territory outside Gibraltar, and for the purposes of EU GDPR a third country means any territory outside of the EEA. Accordingly, and following Brexit, Gibraltar and the UK are considered third countries for EU GDPR purposes.
- We will only share your Personal Data with third parties or international organisations outside of the EEA, United Kingdom or Gibraltar where we have a legal basis for doing so, such as to provide you with our services or because we ourselves use service providers (processors) outside of the EEA, United Kingdom or Gibraltar to operate our business.
- Whenever we transfer your personal data out of Gibraltar and/or the EEA to a third country or international organisation, we ensure a similar degree of protection is afforded to it by ensuring at least one or more of the following apply:
Transfers to adequate territories
We may transfer your Personal Data to territories that have been deemed to provide an adequate level of protection for personal data by either the European Commission (in respect of processing subject to the EU GDPR) or deemed adequate in the United Kingdom (and by extension, Gibraltar) based on adequacy regulations for the purposes of the UK GDPR and Part 2 of the UK Data Protection Act 2018 (in respect of processing subject to the Gibraltar GDPR). See Article 45 Gibraltar GDPR for further information on the meaning of “UK GDPR” and “UK Data Protection Act 2018”.
Transfers subject to appropriate safeguards
We may transfer your Personal Data where we implement “appropriate safeguards” provided for under Article 46 of Gibraltar GDPR or EU GDPR (as the case may be). This may include the following:- Binding corporate rules implemented within the Lottoland Group (if any)
- standard data protection clauses specified in regulations made under the Data Protection Legislation in Gibraltar or by the Information Commissioner in Gibraltar (where Gibraltar GDPR applies), or standard data protection clauses adopted or approved by the European Commission (where EU GDPR applies);
- approved codes of conduct issued under Gibraltar GDPR or EU GDPR (as the case may be); or
- approved certificated mechanisms under Gibraltar GDPR or EU GDPR (as the case may be)
In certain limited cases, where we are unable for any reason to apply appropriate safeguards and transfers are not to an adequate territory or international organisation, we may rely on certain exemptions provided for under Gibraltar GDPR and/or EU GDPR, and in situations where transfers may be necessary for a defined set of reasons. These reasons include:- where you have provided your explicit consent to the proposed transfer, after having been informed of the possible risks of such transfers for you as a data subject due to the absence of an adequacy decision and appropriate safeguards;
- the transfer is necessary for the performance of a contract between you and Lottoland or the implementation of pre-contractual measures taken at your request;
- the transfer is necessary for the conclusion or performance of a contract concluded in your interest between Lottoland and another natural or legal person (e.g. lottery agents/authorities abroad)
- the transfer is necessary for the establishment, exercise or defence of legal claims.
Transfers to the United Kingdom
- Under Gibraltar GDPR Art. 45, a transfer of Personal Data to a third country or an international organisation may take place if it is a transfer to the UK. Accordingly, where Gibraltar GDPR applies, transfers to the UK may take place without additional safeguards.
- AUTOMATED DECISION-MAKING (INCLUDING PROFILING) AND THE USE OF ARTIFICIAL INTELLIGENCE (AI)
- “Automated decision-making” is the process of making a decision by automated means without any human involvement. A decision is therefore solely automated if there is no meaningful input by a human in the final decision being made about a person. In most cases, we do not use automated decision-making when processing Personal Data as decisions will generally have human involvement. If this changes, we will confirm this to you and provide meaningful information about the logic involved, as well as the significance and the envisaged consequences for you. However, certain third parties (e.g. credit referencing agencies) may use certain automated decision-making tools or software, including artificial intelligence (see below). We are not responsible for any automated decision-making by third parties (see section 14 of this Privacy Policy), but may take reasonable steps to bring such automated decision-making to your attention.
- “Profiling” means any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. The context of our profiling activities is generally limited to assigning a risk-profiles to our customers based on AML/CFT/CPF obligations but we may use artificial intelligence in certain cases to analyse and predict trends concerning gambling behaviour (particularly in the context of our responsible gambling obligations). Relevant exemptions from Gibraltar GDPR and EU GDPR allow us to undertake such activity without needing to provide further information to you if it is in the context of assigning risk profiles and reducing financial crime. We reserve our right to refuse to do business with any customer, and our non-acceptance or discontinuance of services may or may not be related to a profiling decision and/or legal obligation(s) imposed on us. Artificial Intelligence (AI)
- Artificial intelligence (“AI”) refers to when a machine can demonstrate intelligence (i.e. learning, reasoning, understanding of concepts and recognition of patterns etc.) through analysis of inputted data and information. This allows use of machine learning to synthesize, make inferences, and even problem-solve. ‘Generative AI’ typically uses large language models or “LLMs” and some applications create “generative pre-trained transformers” or “GPTs”. Whereas Generative AI turns machine learning inputs into content, ‘Predictive AI’ uses machine learning in an attempt to determine the future and prevent bad outcomes by using data to identify early warning signs.
- Where AI makes decisions and there is no human involvement (beyond the inputting stage), then that will be wholly automated decision-making as defined above. However, where the final decision is subject to human intervention or involvement, then this will not be automated decision-making.
- From time to time, we may make use of such automated technologies by implementation of processing that uses AI to analyse and predict trends and recognise patterns. In most cases, we will use Aggregated Data as the input data for use of AI technology, and AI will not be used as a collection method for Personal Data. However, we will leverage the benefits of AI in our decision making processes and therefore use AI in our processing of Personal Data to meet certain processing purposes and needs, such as complying with our AML/CFT/CPF or responsible gambling obligations, or to generate relevant marketing content, promotions or strategies. To this end, Lottoland may make decisions about what the target output of AI models will be (i.e. what is being predicted or classified), or about what features will be used in such models, and in such cases will remain a controller. In other cases, Lottoland may be a joint controller with the third party supplying the AI system, and will provide further information by way of separate privacy notices to explain the joint controller arrangement to data subjects.
- As further explained under section 11 of this Privacy Policy, you have a right not to be subject to a decision based solely on automated processing, including profiling (i.e. without human intervention). This means you can request a human review of a decision made about you using automated processing, including through use of AI. Lottoland monitors its use of AI to ensure your privacy rights are safeguarded and carries out data protection impact assessments (“DPIAs”) where appropriate. In addition, whilst Lottoland will take all reasonable steps to ensure that the output of AI systems is not incorrect or misleading as to any matter of fact, accuracy of AI systems is not guaranteed, given there could be errors at the input stage (e.g. human error) and/or at the processing stage (e.g. errors in particular algorithms or LLMs, or in reading illegible or difficult to read text). These errors could result in the output and decision-making stage having accuracy issues and incorrect inferences being drawn from the input data. To mitigate against this, Lottoland will implement reasonable measures including, but not limited to:
- carrying out DPIAs and other due diligence on AI systems and suppliers;
- ensuring that any incorrect outputs of AI systems can be quickly identified and remedied;
- consider the impact of potentially incorrect inferences on decisions to be made about data subjects;
- considering possible bias in the way variables are measured, labelled or aggregated, including the potential for discrimination by developers and/or users of AI systems; and
- endeavouring to use AI in decision-support in the majority of cases, with limited use of AI in automated decision-making.
- DATA SECURITY
- The accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data is known as a “data breach”. We have put in place appropriate physical, technical and administrative security measures to prevent data breaches and deal with these when they arise. These measures include internal policies regarding data breach prevention and internal/external reporting (as may be required), as well as physical and IT security measures to monitor and restrict processing. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. Such persons will only process your Personal Data on our instructions and are subject to duties of confidentiality, and of complying with our data protection procedures.
- We undertake to inform you, to the extent we are required to do so, if your personal data is compromised and there is a high risk to your rights and freedoms as a result.
- DATA RETENTION
- We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including:
- maintaining business records for the purposes of satisfying any legal, accounting, or reporting requirements;
- complying with record retention requirements under relevant laws
- exercising, establishing or defending legal claims; or
- dealing with complaints regarding our services
- To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
- By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for at least five years after they cease being customers in the context of our AML/CFT/CPF obligations.
- We may retain your Personal Data for longer periods where such retention is necessary for compliance with a legal obligation to which we are subject, or where another lawful basis applies. For example, where Personal Data is collected pursuant to a contract or prior to the creation of a contract, these may be retained by us for a period of 6 years after the termination of the contract pursuant to our legitimate interests in defending any legal claims which may be brought against us, or which we may wish to bring.
- Upon expiration of the relevant period we have determined is suitable for retention of your Personal Data, we will either delete or anonymise such Personal Data. If, for technical reasons, we are unable to delete or anonymise such Personal Data (either partially or entirely), we will put in place appropriate measures to prevent further processing, placing this data beyond use, and/or implementing pseudonymisation where possible.
- We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including:
- YOUR RIGHTS AS A DATA SUBJECT
-
General
- You have certain rights under the Data Protection Legislation, which are explained in this section.
- Depending on your particular circumstances, you may also have additional rights if you live or work outside of Gibraltar. For example, the EU GDPR may apply to you if you are based in the EEA, and in certain cases you may have rights under the EU GDPR. You can find out more about the EU GDPR and your rights (if any) by accessing the European Commission’s website(s) at the following Link: https://ec.europa.eu/info/law/law-topic/data-protection_en.
- Right to information
- You have a right to be informed about the processing of your Personal Data (and if you did not give it to us, information as to the source) and this Privacy Policy intends to provide the required information.
- Your right to information is limited in certain cases, and the requirements to give information do not apply insofar as:
- the provision of information to you proves impossible or would require disproportionate effort on our part in order to provide. This is provided that we take appropriate steps as controller to protect your rights as a Data Subject, your freedoms and your legitimate interests, including by making information publicly available (as this Privacy Policy intends to do);
- obtaining information or disclosure is expressly laid down by Gibraltar law which we are subject and which provides appropriate measures to protect your legitimate interests;
- the personal data must remain confidential subject to an obligation of professional secrecy regulated by Gibraltar law (such as statutory obligations of secrecy); or
- you already have the information.
- Right to request access
- You also have a right to access information we hold about you (commonly known as a “data subject access request”). We are happy to provide you with details of your Personal Data that we hold or process, providing that doing so does not affect the rights of others or reveal their personal data (unless they consent). Importantly, this right does not provide a right of access to documents, and only to a copy of your Personal Data, and certain supplementary information, most of which is already contained in this Policy.
- Right to rectification
- You have the right to have any inaccurate Personal Data about you rectified and to have any incomplete Personal Data about you completed.
- The accuracy of your information is important to us. Please refer to section 13 of this Privacy Policy regarding your duty to inform us of changes. We may need to verify the accuracy of the new data you provide to us.
- Right to erasure (right to be ‘forgotten’)
- You have the general right to request the erasure of your Personal Data in the following circumstances:
- the Personal Data is no longer necessary for the purpose for which it was collected;
- you withdraw your consent to consent based processing and no other legal justification for processing applies;
- you object to processing for direct marketing purposes;
- we unlawfully processed your Personal Data; or
- erasure is required to comply with a legal obligation that applies to us
- the personal data have been collected in relation to the offer of information society services (note this does not apply to processing by Lottoland).
- We will proceed to comply with an erasure request without delay and to such extent we are able to do so. However, note that your right to erasure is a qualified right and does not apply where continued retention is necessary for:
- exercising the right of freedom of expression and information;
- complying with a legal obligation under Gibraltar law or other law to which we may be subject;
- the performance of a task carried out in the public interest or in the exercise of official authority vested in Lottoland (note this is generally not applicable to our processing);
- archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, under certain circumstances (note this is generally not applicable to our processing); or
- the establishment, exercise, or defence of legal claims.
- In addition, we may not always be able to comply with your request of erasure for specific legal or operational reasons which will be notified to you, if applicable, at the time of your request.
- You have the general right to request the erasure of your Personal Data in the following circumstances:
- Right to restriction of processing
- You have a right to ask us to restrict processing of your Personal Data in the following situations:
- you contest the accuracy of the Personal Data;
- where processing is unlawful you may request, instead of requesting erasure, that we restrict the use of the unlawfully processed personal information;
- we no longer need to process your personal information but need to retain your information for the establishment, exercise, or defence of legal claims
- you have exercised your right to object (see below) and pending verification of whether our legitimate grounds (or those of a third party) override your interests, rights and freedoms.
- In cases where you exercise this right, we will only be allowed to store the Personal Data, and may not process it further without your consent, unless the processing is for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will also need to inform you before a restriction of processing is lifted.
- You have a right to ask us to restrict processing of your Personal Data in the following situations:
- Right to data portability
- Where the legal basis for our processing is your consent or the processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract, you have a right to receive the Personal Data you provided to us in a structured, commonly used and machine-readable format, or ask us to send it to another person.
- We are not responsible for any third party’s use of ‘ported’ information. Note that this right only applies where processing is carried out by automated means (i.e. excluding paper files). Processing by “automated means” is understood as general electronic processing, and is to be distinguished from automated decision-making (explained in this Privacy Policy). Further, this right does not include any additional data that is created by us based on the data you have provided.
- Right to object
- General right to object:
You have a general right to object to processing of your Personal Data under certain circumstances, which include:- where we rely on legitimate interests as the lawful basis;
- where our processing is for direct marketing purposes (including profiling for direct marketing purposes)(see below);
- where processing is for scientific or historical research purposes or statistical purposes on grounds relating to your particular situation. Note that we do not process your Personal Data for these purposes; or
- where processing is based on performance of a task carried out in the public interest or in the exercise of official authority vested in us as the controller. Note that we do not rely on this lawful basis, which mostly applies to public authorities.
- where we rely on legitimate interests as the lawful basis;
- where our processing is for direct marketing purposes (including profiling for direct marketing purposes)(see below);
- where processing is for scientific or historical research purposes or statistical purposes on grounds relating to your particular situation. Note that we do not process your Personal Data for these purposes; or
- where processing is based on performance of a task carried out in the public interest or in the exercise of official authority vested in us as the controller. Note that we do not rely on this lawful basis, which mostly applies to public authorities.
- Right to freedom from direct marketing (opting-out):
You have a right to opt-out of receiving our direct marketing, also referred to as ‘opting out’. You can exercise this right at any time by contacting us. You can ask us to stop sending you marketing messages at any time by following the opt-out or ‘unsubscribe’ links on any electronic marketing messages/material sent to you or SMS that you receive from us, or by changing your marketing preferences in the My Account section of your account. Where you exercise a marketing opt-out, we may need to retain your details to ensure we do not send you further marketing. The exercise of your right of opting-out does not affect our ability to contact you otherwise than for direct marketing purposes (e.g. to notify you of changes to our terms of service, of any issues with your account, or to request any information we may require in order to meet our AML/CFT/CPF obligations). - Except in cases of objecting to direct marketing, where your right to opt-out of the receipt of marketing communications persists, where you exercise your right to object, we will cease to process your Personal Data unless there are compelling legitimate grounds for processing which override your interests, or we need to process your Personal Data to establish, exercise, or defend legal claims. Note that exercising the right to object may impact the services we can provide, and we will explain this to you if you decide to exercise this right. If you still wish to exercise your right to object, we may have to terminate your account or cancel a bet you have placed with us but we will notify you if this is the case at the time.
- General right to object:
- Right to freedom from automated decision-making (including profiling)
- You have a right not to be subject to a decision based solely on automated processing, including profiling (i.e. without human intervention), which produces legal effects concerning you or similarly significantly affects you.
- This does not apply if the decision:
- is necessary for entering into, or performance of, a contract between you and Lottoland
- is required by Gibraltar law; or
- is based on your explicit consent.
- Lottoland shall implement suitable measures to safeguard your rights and freedoms and legitimate interests. These measures shall include at least the right to obtain human intervention and to express your point of view and contest the decision.
- Right to to lodge a complaint with the Information Commissioner and/or a relevant supervisory authority
- If you wish to raise a complaint on how we have handled your Personal Data, we encourage you to contact us in the first instance using the details in section 2 of this Privacy Policy so we may try and resolve your complaint.
- If we have not responded to you within a reasonable time or if you feel that your complaint has not been resolved to your satisfaction, you are entitled to make a complaint to the Information Commissioner under the Data Protection Act, which is presently the Gibraltar Regulatory Authority (“GRA”). You may contact the GRA on the below details:
Address: Gibraltar Regulatory Authority, 2nd Floor, Eurotowers 4, 1 Europort Road, Gibraltar Email: [email protected] Phone: (+350) 200 74636 Fax: (+350) 200 72166 Website: www.gra.gi - In certain cases, you may also have the right under the EU GDPR to lodge a complaint with the supervisory authority in the country of your habitual residence, place of work, or the place where you allege an infringement of one or more of our rights has taken place, if that is based in the EEA.
- Right to withdraw consent
- Where the legal basis for processing your Personal Data is your consent, you have the right to withdraw that consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal) by contacting us using the details found in section 2 of this Privacy Policy.
- Consent should be as easy to withdraw as it is to give, so we will normally provide options for you to change your preferences and remove consent you have given previously. Note that withholding or withdrawing consent may limit the scope of services we are able to provide, and we will inform you of the consequences of withholding or withdrawal at the relevant time.
- EXERCISING YOUR RIGHTS
-
Contact
- If you wish to exercise any of the rights set out above, please contact the DPO on the details set out in section 2 of this Privacy Policy. No fee usually required
- You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. What we may need from you
- In certain cases (e.g. where we do not recognise an email address), we may need to request specific information from you to help us confirm your identity (or confirm the authority of anyone purporting to act on your behalf). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. Time limit to respond
- We try to respond to all legitimate requests within one month. Occasionally it may take us longer than this if your request is particularly complex or you have made a number of requests, and we may wish to extend the timeframe for us to respond by an additional two months (3 months in total). In such cases, we will notify you of any such extension within one month of receipt of the request, together with the reasons for the delay, and keep you updated. Electronic form
- Where you make your request by electronic form means, our response shall be provided by electronic means where possible, unless otherwise requested by you. Extent of our obligations to other recipients
- We shall communicate restriction, rectification or erasure of Personal Data to each recipient to whom the Personal Data have been disclosed, unless this proves impossible or involves disproportionate effort. In particular, for erasure requests, where we have made Personal Data public and are minded to erase the Personal Data, we shall take reasonable steps (taking account of available technology and the cost of implementation), including technical measures, to inform other controllers who are processing the Personal Data that you have requested erasure.
- YOUR DUTY TO INFORM US OF CHANGES
- It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. If any of your personal details are or become incorrect, you can update them in the “My Account” section, or you can contact our Customer Care team via email at [email protected].
- CHANGES TO THIS PRIVACY POLICY
- We may update this Privacy Policy from time to time by publishing a new version on our website(s) or app(s). We may choose to notify you of significant changes to this Privacy Policy by email (if you are a customer or are subscribed to our emailing lists), and will also update the “Last updated” field at the top of this Privacy Policy.
- The new version of the Privacy Policy will, however, take effect immediately upon its publication on our Website(s)/App(s).
- ADDITIONAL TERMS
-
Third party links
- This website or App may include links to third-party websites, plug-ins and applications (for example Facebook, Twitter etc). Clicking on those links or enabling those connections may allow third parties to collect or share your Personal Data.
- We are not responsible for the privacy practices of others, and you are encouraged to become familiar with the privacy practices of any third party sites you visit or any third parties you enter into any agreements with. Likewise, we do not control third-party websites and are not responsible for their privacy statements. When you leave our website(s), we encourage you to read the privacy policies/notices of every website you visit. No services to children
- Protecting children’s privacy is important to us. For that reason, we do not collect or maintain information on our website from those we actually know are under the age of 18 (notwithstanding any legal definition of “child” or “children” or other legislation setting a lower age for a person to be considered a child). No part of our website targeted to attract anyone under 18. We request that all visitors to our website who are under 18 not disclose or provide any personal data (including by attempting to open an account) and discontinue use of our website.