Data Protection
ALDERNEY GAMBLING CONTROL COMMISSION
The Data Protection (Bailiwick of Guernsey) Law, 2017
Data Processing Notice
Introduction
This website is operated by the Alderney Gambling Control Commission. The principal place of business of the Alderney Gambling Control Commission is St Annes House, Queen Elizabeth II Street, Alderney, Channel Islands, GY9 3TB.
The Alderney Gambling Control Commission is an independent body corporate established by the Gambling (Alderney) Law, 1999 to supervise and control licensed gambling. In addition to the Gambling (Alderney) Law, 1999 the Alderney eGambling Ordinance, 2009 and the Alderney eGambling Regulations, 2009 apply to the operations of the Alderney Gambling Control Commission.
In order for the Alderney Gambling Control Commission (AGCC) to carry out its regulatory functions and meet its legal responsibilities it needs to collect certain personal data and in doing so it is a “data controller” of that information for the purposes of the General Data Protection Regulation (GDPR) which applies to European Union citizens wherever they are
based and the Data Protection (Bailiwick of Guernsey) Law, 2017 the object of which is to protect the rights of individuals in relation to their personal data, in a manner equivalent to the GDPR and Law Enforcement Directive.
Notification and Data Protection Officer
The AGCC has notified its data processing to the Office of the Data Protection Commissioner in Guernsey (www.odpc.gg) and is number 11216 on the Register of Data Controllers.
The AGCC has appointed a Data Protection Officer. The Data Protection Officer can be contacted by email at [email protected] or by telephone on +44(0)1481 825500.
What is personal data
Personal data is defined as any information relating to an identified or identifiable natural person (ie a living individual). It includes obvious means of identification such as a person’s name as well as other identifiers such as identification numbers, online identifiers as well as other factors specific to the physiological, genetic, mental, economic, cultural or social identity of that person. In addition to personal data there is also “special category data” which includes information relating to a person’s racial or ethnic origin, their political opinions, trade union membership, religious or philosophical beliefs as well as genetic data,
biometric data, health data and information relating to a person’s sex life or sexual orientation.
Why does the AGCC process personal data
?
The AGCC collects personal in accordance with a number of legal bases.
-
Legal obligation: the processing is necessary to for the AGCC to comply with the law.
-
Contract: the processing is necessary for a contract the AGCC has with an individual or an organisation or because the AGCC has been asked to carry out specific tasks before entering into a contract.
-
Public task: the processing is necessary for the AGCC to carry out a task in the public interest or for an official function and the task or function has a clear basis in law.
-
Consent: the processing is carried out with the clear and unambiguous consent of the individual for their data to be processed for a specific purpose.
-
Vital interest: the processing is necessary to protects someone’s life. and
-
Legitimate interest: the processing is necessary for the purposes of the legitimate interests of the controller or third party.*
?
*This applies in only very limited instances for processing that is not strictly connected with the exercise by the AGCC of its public functions.
The bulk of the processing of personal information carried out by the AGCC will fall within categories 1 to 3 inclusive above.
Special Category data will be processed in line with one of the bases in 1 to 5 and it is most likely to be processed for performing a public task or meeting a legal obligation imposed upon by the AGCC by Alderney Law or wider laws in force in the Bailiwick of Guernsey.
The AGCC is a regulator and collects and processes personal data in relation to its regulatory functions and responsibilities. Personal data will mostly be processed on the basis that it is necessary for the AGCC to perform a task that is in the public interest or in order to carry out a function that a statute requires of the AGCC.
Applicants for licences and certificates
The AGCC is required to be satisfied that those companies applying for licences and certificates are “fit and proper” to hold that licence or certificate. In addition certain people involved in the ownership or management of licensees or certificate holders may be required to hold a certification that is personal to them (a Key Individual Certificate). The process for assessing the fitness and propriety of a corporate applicant will require that individuals connected to that applicant are investigated. The data that is collected during the application process is used to determine whether a licence or certificate should be issued.
Legislation requires that, for the purpose of licence and certificate applications, information is provided. If information is not provided then the application cannot be processed. The provision of false information is a criminal offence and regulatory or criminal action may result. Information that is supplied for the purpose of licence and certificate obligations must be accurate and up to date and if, following the submission of the application, there is a change to the information supplied, the AGCC must be updated.
When assessing fitness and propriety personal data will be obtained in relation to individuals and individuals connected to applicants from third parties. These third parties include, but are not limited to, other regulators (both domestic and international), the Police and credit reference agencies.
This processing is required to ensure that the licensing objectives set out in the Alderney eGambling Ordinance, 2009 are met. These are:-
i. Protecting and enhancing the reputation of Alderney as a well-regulated eGambling centre;
ii. Ensuring that eGambling is conducted honestly and fairly and in compliance with good governance;
iii. Preventing eGambling from being a source of crime, being associated with crime, or being used to support crime, including preventing the funding, management and operation or eGambling from being under criminal influence; and
iv. Protecting the interests of young persons and other vulnerable persons from being harmed or exploited by eGambling.
Personal data that is collected for licensing purposes may be used for other reasons including:-
-
?Complying with the AGCC’s statutory functions and legal obligations
-
?Undertaking on-going regulatory activity to meet the licensing objectives
-
?Assisting other regulators and law enforcement bodies.
-
?Internal management purposes
-
?Collating statistics for publication or other research purposes or determining future policy.
-
?Complying with international obligations.
Wherever possible information that is used for internal management purposes or the collation etc of statistics will be anonymised but there may be occasions when anonymisation might not be possible.
Existing licensees and certificate holders
In addition to ensuring that those who apply for a licence or certificate are fit and proper the AGCC is also required to ensure that those who have applied for and been granted a licence or certificate remain fit and proper to hold that licence or certificate on an on-going basis. This means that the AGCC will, as part of the reporting regime imposed by eGambling legislation on licensees and certificate holders, obtain and process personal data. Periodic reporting forms may require personal data to be provided and the AGCC may also obtain personal data from other sources prior to processing it. This information is held and
processed by the AGCC in order to meet the obligations imposed on the AGCC by legislation and international obligations.
Publication
The AGCC is required to publish the details of companies that have applied for licences and certificates prior to the application being determined. In addition the AGCC maintains a list of licensees and associate certificate holders on its website. Where regulatory action is taken against a licensee or certificate holder the AGCC may publish certain information if it is in
the public interest. Personal data may be used in determining the public interest and any such publication may involve the publishing of personal data.
Investigations and Regulatory action
eGambling legislation requires that the AGCC carries out activities to assess compliance with eGambling legislation and whether there have been any regulatory breaches. Personal data
will be used in these activities and in the event that breaches have been found, used in regulatory proceedings or shared with law enforcement bodies for the purpose of criminal proceedings.
Personal data may also be used to meet the AGCC’s wider remit of keeping under review the extent and character of eGambling on the Island of Alderney. However where information is used for this purpose it will, as far as possible, be anonymised. This processing is necessary to fully understand the risks faced in the eGambling sector and the risks to individual consumers.
Player complaints
The player section of the AGCC’s website has an area dealing with complaints.
This can be found at www.kenshido.com/player-complaints/ and sets out the process to be followed where a player has a complaint about an operator.
In the first instance complaints arising from customers based in the United Kingdom will be addressed to the operator and, if necessary, will be handled by an Alternative Dispute Resolution (ADR) process. Where the complaint cannot be concluded by way of the ADR process it will be handled by the AGCC in accordance with eGambling legislation. This will require the processing of personal data. The AGCC will create a complaint file which will identify the complainant and possibly others, if involved. Personal data relating to the complainant will be shared with the relevant operator/s. the relevant operators will need to
process information about the complainant to deal with the complaint and will need to share this information with the AGCC to enable the AGCC to resolve the complaint. The more information that is provided the better able the AGCC will be to deal with the complaint.
For customers not located in the United Kingdom any complaint must first be raised with the operator and thereafter it will be handled by the AGCC in accordance with eGambling legislation. This will require the processing of personal data. The AGCC will create a complaint file which will identify the complainant and possibly others, if involved. Personal data relating to the complainant will be shared with the relevant operator/s. the relevant operators will need to process information about the complainant to deal with the complaint and will need to share this information with the AGCC to enable the AGCC to resolve the
complaint. The more information that is provided the better able the AGCC will be to deal with the complaint.
Information obtained and used in handling a complaint may subsequently be used in regulatory proceedings. In the event that an adverse finding is made against an operator in these circumstances the AGCC will endeavour to anonymise the complainant’s data.
The AGCC routinely publishes statistics about complaints handled. These statistics do not publicly identify complainants.
Employees – current, former and future
The AGCC processes personal data (including, on occasions, special category data) in order to determine job applications. In addition the AGCC processes personal data or former employees in order to meet specific obligations regards to matters such as taxation, social insurance and pensions.
The AGCC also processes personal data of current staff to meet its obligations as an employer.
Information relating to staff who have been unsuccessful in their recruitment application is kept for a period of six months after the closing date for applications. Information received as a result of speculative applications will not be retained and those who contact the AGCC in such a manner will have their documentation returned and will be advised to regularly visit the AGCC’s website to learn of any recruitment taking place.
Other people the AGCC processes personal data about
As a regulator the AGCC will process personal data relating to third parties who might be relevant to its work as a regulator. This can include advisors to applicants or operators, academics, witnesses in investigations, other regulators, enforcement agencies and interested members of the public. The AGCC also obtains information about those who may have provided the funding for an applicant or operator even if they fall outside of the application or are not a Key Individual.
This personal data will be used in the context of the AGCC’s regulatory activities or for reasons connected with the AGCC’s wider remit with regards to gambling.
The AGCC may receive personal data from enquiries made directly to it about the licensing regime from those who may be interested in obtaining an eGambling licence or certificate.
Cookies
The AGCC’s website uses essential cookies. These are necessary for the security and functioning of the AGCC website. No personal data is collected.
The AGCC does not use cookies for collecting user information. Except as otherwise stated, we may use information visitors provide via links from this website to communicate information to them (if they have requested it). We do not disclose any information visitors may provide via the website to any third parties or other government departments except where:
?
-
?such disclosures are necessary to fulfil our service obligations to them, in which case we will require such third parties to agree to treat it in accordance with this Privacy Policy
-
?required by applicable laws, court orders or government regulations (for example to prevent or detect crime), or
-
?they give us permission to do so.
We take reasonable precautions to prevent the loss, misuse, or alteration of data that visitors give us.
The cookies that are used on the AGCC website, their purpose, the period for which they are in use and their type is set out in the table below:-
Cookie Name
XSRF-TOKEN
Purpose
Used for security reasons
Duration
Session
Cookie Type
Essential
Cookie Name
hs
Purpose
Used for security reasons
Duration
Session
Cookie Type
Essential
Cookie Name
svSession
Purpose
Used in connection with user login
Duration
12 months
Cookie Type
Essential
Cookie Name
SSR-caching
Purpose
Used to indicate the system from which the site was rendered
Duration
1 minute
Cookie Type
Essential
Cookie Name
_wixCIDX
Purpose
Used for system monitoring/debugging
Duration
3 months
Cookie Type
Essential
Cookie Name
_wix_browser_sess
Purpose
Used for system monitoring/debugging
Duration
Session
Cookie Type
Essential
Cookie Name
consent-policy
Purpose
Used for cookie banner parameters
Duration
12 months
Cookie Type
Essential
Cookie Name
smSession
Purpose
Used to identify logged in site members
Duration
Session
Cookie Type
Essential
Cookie Name
TS*
Purpose
Used for security and anti-fraud reasons
Duration
Session
Cookie Type
Essential
Cookie Name
bSession
Purpose
Used for system effectiveness measurement
Duration
30 minutes
Cookie Type
Essential
Cookie Name
fedops.logger.X
Purpose
Used for stability/effectiveness measurement
Duration
12 months
Cookie Type
Essential
Cookie Name
wixLanguage
Purpose
Used on multilingual websites to save user
language preference
Duration
12 months
Cookie Type
Functional
Retention of information
The AGCC has a data retention policy. The AGCC retains data to meet its obligations in respect of legislation. The AGCC will review and revise its data retention policy as necessary.
The AGCC uses technological and organisational measures in accordance with good industry practice to keep personal data safe.
Data from third parties
In order to fulfil its statutory obligations, the AGCC obtains data from third parties. This information is obtained to assess suitability during the application process or ongoing suitability thereafter. Information may be obtained from organisations such as C5, Equifax and Experian. In addition searches may be made of publicly available information including Land Registries and Company Registrars. As part of the application process applicants agree to an Authorisation for release of information which confirms that they agree to the supply of information. Where personal data is supplied by these organisations it is not requested or supplied on the basis of consent as it is required for the AGCC to exercise its statutory functions as a regulator.
The AGCC obtains information from operators in accordance with legislative requirements or upon request where the AGCC considers that the information is necessary for the purposes of ensuring the ongoing suitability of the holder of a licence or certificate.
The AGCC obtains information from complainants, other regulators, law enforcement bodies, witnesses, advisors and experts in order to meet its obligations under the eGambling legislation. This may include special category data, for example, in relation to problem gambling.
The AGCC will not ordinarily inform individuals when data is obtained from third parties. In some circumstances the AGCC will be bound by legislation not to make any form of notification to those concerned.
Sharing of personal data
The AGCC does not routinely share data. Personal data may be shared with third parties who are performing a service on behalf of the AGCC and will be under express instructions. The AGCC may also share information with other bodies when it is legally required or permitted to do so. This may include third party payment processors, other public authorities, sports governing bodies, other gambling operators, law enforcement and regulatory bodies (both domestic and international).
Sharing personal data will be primarily for the purpose of performing regulatory functions but may also take place for the purposes of the prevention and detection of crime or for the collection of taxes and other duties or international obligations.
Enquiries received from third parties regarding licensing or certification may be forwarded to Alderney eGambling Limited, a company wholly owned by the States of Alderney and responsible for the development of eGambling businesses on Alderney and within the Bailiwick.
?
Your rights
Depending on the information that is held and the reasons it is being held, individuals have a number of rights as set out in the GDPR and Data Protection (Bailiwick of Guernsey) Law, 2017. Any questions should be addressed to the AGCC’s Data Protection Officer [email protected]
The right to rectification
Individuals are entitled to have relevant records and files amended if the personal data held is inaccurate or incomplete.
The right to erasure
In limited circumstances individuals will have the right to request that their data be erased. The circumstances are where the data is no longer needed for the purpose it was collected for, where consent to hold the data is withdrawn and there is no other lawful basis on which the AGCC can no longer process it, the individual objects to the processing and there are no overriding legitimate grounds to continue to process the data, or where the data has been unlawfully processed.
However this will only apply in limited circumstances as the AGCC’s obligation to process data to comply with a legal obligation or perform a public task will take priority.
The right to restrict processing
Individuals have the right to restrict the processing of their data if the accuracy of the data is contested. This restriction will last for the period necessary to verify the accuracy of the data. Also if the processing is unlawful the individual may request that the processing be restricted instead of erased. This right also applies when the AGCC no longer needs the information for
the purpose it was collected but the individual has requested that the AGCC does not delete it as it requires the AGCC to hold it in connection with a legal claim.
The right to object to processing
Individuals can object to the AGCC’s processing of personal data carried out for the predominant ground for processing, namely the exercise of the AGCC’s statutory or regulatory functions. If a request is made the AGCC will stop processing the data unless
compelling legitimate grounds can be shown to continue the processing which override the interests of the individual.
Law enforcement processing
The Data Protection (Bailiwick of Guernsey) Law, 2017 gives effect to the EU Law Enforcement Directive. If this is applicable the rights of the individual may be restricted where it is necessary or proportionate to avoid prejudicing the prevention, detection,
investigation or prosecution of criminal offences. This also applies for processing to avoid the obstruction of an official or legal inquiry, investigation or procedure as well as when the processing is necessary to protect public security, national security or the rights and freedoms of individuals other than the data subject.
Accessing personal data
Individuals have the right to confirmation as to whether or not the AGCC is processing their personal data. If the AGCC is processing the data the individual has the right to access that data as well as obtain a reason for the AGCC holding and processing the data, how long the data will be held for and whether the data has been shared with a third party, and if so, who
that third party is.
Such requests must be made in writing. A request can be made by post to the address above or email to [email protected]
Requests must include
-
The individual’s name.
-
The individual’s address. This is needed to provide the information. It can be either a postal address or email address.
-
A description of the information sought.
A person making a request will need to provide evidence of their identity. This will involve the submission of photographic identification and proof of address.
The AGCC will endeavour to provide a response within one month. If this is not possible the AGCC will provide you with updates as to the progress of the request. A complex request may take longer than one month.
Individuals should note that they may not be entitled to see all the information that the AGCC holds on them. The Data Protection (Bailiwick of Guernsey) Law, 2017 and GDPR contain a number of exemptions which include if the personal data is mixed with the data of other individuals or disclosure would prejudice the exercise of the AGCC’s regulatory functions or the information is subject to legal privilege. Also requests which are manifestly unfounded or excessive may be refused.
Overseas transfers
The AGCC’s systems are based in Guernsey. International transfers of data will arise where third party providers of information are located outside the Bailiwick, where the AGCC needs to send information to international gambling regulatory counterparts, sports governing bodies located overseas or to law enforcement bodies overseas in connection with regulatory or criminal investigations or processes.
Changes to this privacy statement
The AGCC will review this processing notice periodically and may change it. If changes are made they will be posted on the AGCC’s website.
How to contact the AGCC
The AGCC’s Data Protection Officer can be contacted at the address above if there are any concerns about this notice or you wish to provide any feedback.
If there are concerns about the AGCC’s processing of personal data then individuals should write to the AGCC’s Data Protection Officer at [email protected] and in addition individuals have the right to lodge a complaint with the Office of the Data Protection Commissioner in Guernsey. Further information about the Data Protection Commissioner can be found at www.odpc.gg
?
?
Published 8th November, 2023