Skip to main content

Privacy and cookies

Privacy statement

This website is operated by the Gambling Commission whose principal place of business is Victoria Square House, Victoria Square, Birmingham B2 4BP. We are an independent non-departmental public body sponsored by the Department for Digital, Culture, Media and Sport, a department of the United Kingdom government.

The Gambling Commission was set up under the Gambling Act 2005 (the Gambling Act) to regulate commercial gambling in Great Britain in partnership with licensing authorities. We also regulate the National Lottery under the National Lottery etc. Act 1993.

In order to carry out our regulatory functions and meet our legal responsibilities, we need to collect certain personal data and, when we do, we are a ‘data controller’ of that information for the purposes of the General Data Protection Regulation (the GDPR) (which applies across the European Union including the United Kingdom), the Data Protection Act 2018 (the Data Protection Act) which supplements GDPR, extends its application in the UK, and implements the Law Enforcement Directive (which relates to processing personal data for law enforcement purposes) (the LED) in the UK.

We are registered with the Information Commissioner’s Office as a data controller. Our registration number is: Z9166002.

Show allShow less

What is personal data and special category data?

Under the GDPR, personal data is defined as any information relating to an identified or identifiable natural person. It can include obvious identifiers like your name but also identification numbers, online identifiers and/or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Special category data includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation.

What personal data do we collect, for what purpose and what is the basis for doing so?

We collect and process personal data based on one or more of the following legal bases:

  • Consent: the individual has given clear consent for us to process their personal data for a specific purpose
  • Contract: the processing is necessary for a contract we have with the individual or their organisation, or because they have asked us to take specific steps before entering into a contract
  • Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations)
  • Vital interests: the processing is necessary to protect someone’s life
  • Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.

We collect and process special categories of personal data based on one or more of the legal bases set out above and where one of the separate conditions for processing applies, the most likely being:processing is necessary for reasons of substantial public interest, on the basis of UK law and is proportionate to the aim pursued, or processing is necessary for the establishment, exercise or defence of legal claims.

As a regulatory body, most of the personal data that we collect and process is data relating to our regulatory functions and responsibilities. Therefore, for the most part (and for the reasons set out below), when we are processing data it will be on the basis that it is necessary for the performance of a task carried out in the public interest and/or in exercising our statutory functions. We have sought to explain how this works below and also what other lawful bases apply to our processing of data in the relevant categories.

We will also be acting as a prosecutor in relation to certain gambling offences, and processing data for this purpose. The effect of this is picked up below.


Licence applicants and National Lottery vetting

When we receive an application for a licence for a business, for a personal licence via application online, or carry out vetting processes for 'vetted roles' in relation to the National Lottery, we create or update the information we hold about that person on our systems. We use that data to decide whether to approve the application and issue the licence.

The provision of data for the purposes of licence applications and vetting processes is required by law. Failure to provide the information requested constitutes an offence under the Gambling Act and will lead to the application being refused. The provision of data for the purpose of vetting procedures is required by law under the National Lottery etc. Act 1993. If we find that any individual does not meet the necessary standards required by law, they may not be employed in a vetted role. It is also vital, of course, that care is taken to ensure that the information supplied is accurate (including in the period between the submission of the application and the date of the decision). If this is not done, there is a possibility that the licence subsequently issued may be reviewed and potentially revoked.

We are also required to conduct ‘suitability assessments’ as part of the licensing process. For this purpose, we will obtain personal data relating to applicants from third parties such as Disclosure and Barring Service/Disclosure Scotland, CreditSafe and Experian. Obtaining data from third parties is explained further below.

The licensing objectives under the Gambling Act are:

  • preventing gambling from being a source of crime and disorder, being associated with crime or disorder or being used to support crime
  • ensuring that gambling is conducted in a fair and open way
  • protecting children and other vulnerable people from being harmed or exploited by gambling.

Therefore, our collection of personal data for licensing purposes may also be used to:
  • comply with our statutory function and legal obligations
  • inform our regulatory work in accordance with these objectives – including investigations and enforcement
  • assist other regulators or law enforcement agencies
  • check our level of service and to help us improve things where we can
  • conduct research/ collate statistics for publication and/or for the purposes of formulation of policy. Although, in this case, the persons’ data will not identify individuals (in other words, it will be anonymised).


People who already hold a licence - operating/personal

We operate an eServices portal for existing licensees which allows them/ their representatives to:

  • (operators) apply for additional licences, add/ remove/change licence activities, submit key events and Licence conditions and codes of practice (LCCP) notifications, submit regulatory returns or audits, and pay invoices using a credit or debit card
  • (personal licensees) download a copy of their licence, submit key events and LCCP notifications, and submit Personal Licence Maintenance forms (which are required to ensure information is up to date – every five years).

This information is held for the regulatory purposes set out in the Gambling Act. This data may also be used for the additional purposes directly above for the same reasons.
We publish the names of all companies and individuals who hold, or have applied for, operating licences in Great Britain. We also publish the names of companies or individuals whose licences have lapsed, been revoked, forfeited, expired, suspended or surrendered in the last three years. If a licensee is, or has been, subject to a regulatory sanction they are also listed on the regulatory action area of our website. We do this in order to comply with our legal obligations under the Gambling Act.


People we are investigating/regulatory action

The Gambling Act requires that we undertake activities for the purposes of assessing compliance with the Act/ whether any offence has been committed under the Act/and to institute criminal proceedings.

We will use personal data in the course of conducting investigations (and deciding outcomes) into the activities of personal and operator licensees.

This information may also be relevant to our wider regulatory objectives and statutory functions. We may, for example, derive information from our investigations which help us improve our understanding of the gambling market and assessment of the risks it faces (and potential risks to consumers as a result), and to seek continuous improvements in the market and our regulation of it.

As mentioned above, we will also publish regulatory action we take following our investigations.

We will also be acting as a prosecutor in relation to certain gambling offences – where the relevant provisions of the LED (as implemented by the Data Protection Act) will be engaged.

Complainant data

Our complaints page lists the sorts of complaints we may see in the course of our work (and explains how you might raise a complaint) – these include:

  • 1.Consumer complaints about a gambling business (save for that mentioned below, these will generally be made to the business itself first or, if necessary, by an Alternative Dispute Resolution (ADR) process)
  • 2.Complaints about ADR providers
  • 3.Whistleblowing about the way a gambling business is run
  • 4.Complaints about the National Lottery
  • 5.Complaints about the Gambling Commission.

When we receive any such complaint, we will create a complaint file which will identify the complainant (and include their contact details) and others who may be named in the complaint.

We will ordinarily have to share the complainant’s identity with the operator or person complained about. It may be necessary for the person complained about to access any relevant information they hold on a complainant (eg relevant customer account details, history) to help us resolve the complaint. The more complete a picture that we have of the issues complained about, the better prospect we will have in dealing with it effectively. If a complainant tells us that they do not want to be identified to the operator/ person complained about, we will try to respect that. But where there is an overarching public interest to progress a complaint made, which cannot be done without disclosing the complainant’s identity, we may decide to do so.

A complaint may also lead to regulatory action as set out above; as such, the relevant data may also form part of the investigation file.

We may publish research or statistics regarding the complaints we deal with in a relevant period; but we will not do this in a way which identifies individual complainants.


What are cookies?

When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your device, for example, computer or mobile phone. These include small files known as cookies. They cannot be used to identify you personally.
These pieces of information are used to improve services for you through, for example:

    • enabling a service to recognise your device so you don’t have to give the same information several times during one task
    • recognising that you may already have given a username and password so you don’t need to do it for every web page requested
    • measuring how many people are using services, so they can be made easier to use and there’s enough capacity to ensure they are fast.

    You can manage these small files yourself and learn more about them through cookies – what they are and how to manage them.


Our use of cookies

Usage analysis: We use Google Analytics to create anonymous cookies and log the IP addresses of visitors. We do not collect any personal information in the process.We collect this data to assess which parts of the website are the most popular and identify trends in usage, helping to guide the development of new web pages. See cookies we use for this analysis

How we use information website visitors provide us with

We do not use cookies for collecting user information. Except as otherwise stated, we may use information visitors provide via this website to communicate information to them (if they have requested it) and for internal marketing and research purposes. We do not disclose any information visitors provide via the website to any third parties or other government departments except where:

    • such disclosures are necessary to fulfil our service obligations to them, in which case we will require such third parties to agree to treat it in accordance with this Privacy Policy
    • required by applicable laws, court orders or government regulations (for example to prevent or detect crime)
    • or they give us permission to do so.

      We take reasonable precautions to prevent the loss, misuse, or alteration of data that visitors give us.If you would like us to correct or update any information, or if you would like information deleted from our records, then please contact us on, or write to:

      Data Protection Officer

      Gambling Commission

      Victoria Square House

      Victoria Square


      B2 4BP


Links to other websites

This privacy statement only covers the Gambling Commission website at
This statement does not cover links within this statement to other websites.

How long we keep the information

We operate under a detailed data retention policy which sets out how long certain categories of data will be retained and/or how often certain data will be reviewed for the purpose of assessing whether it needs to be retained. We have four main retention periods:

  • 25 years: for data relating to research
  • 10 years for data associated with contracts that we have entered into and also for enforcement activities
  • 5 years for data relating to Regulation of Investigatory Powers Act 2000, intelligence activities and reports, licensee and operator documents (including correspondence, reports, reviews and assessments)
  • 3 years for data relating to call centre records and complaints.


Keeping your personal information secure

We have a duty to, amongst other things:

    • keep sufficient information to provide services and fulfil our legal responsibilities
    • keep your records secure and accurate
    • only keep information as long as it is required (per the above).

    We will use technical and organisational measures in accordance with good industry practice to safeguard your information. For example, we hold and adhere to ISO:27001 – the ISO standard on information security.


Obtaining data from third parties

In accordance with our statutory functions and powers, we will obtain data from third parties in the following ways (and for the following reasons):

    • in order to confirm information supplied to us in the licensing application process and/or for the purposes of suitability assessments. This may include data organisations such as CreditSafe and Experian, as well as public registers, and information from other regulatory bodies. As part of our applications process, we include an authorisation for release of information – which confirms (for the purposes of the third parties we approach) applicants’ agreement to the supply of information from governmental and public bodies, financial institutions etc. To the extent the relevant information requested/supplied by these third parties constitutes personal data, we do not rely on consent as the lawful basis for processing the same. As explained above, this processing will be for the purposes of exercising our official authority and statutory functions as regulator of the gambling industry.
    • from operators at our request for the purposes of our exercise of our functions, particularly in the context of seeking to achieving our regulatory objects under the Gambling Act. This may include information about problem gamblers, for example.
    • from complainants, other regulatory bodies, witnesses and experts about persons relevant to a regulatory investigation
    • data provided by licence applicants identifying people relevant to the application who are not the applicants themselves (e.g. funders).

    In each case, the information is important to the exercise of our regulatory functions; and, we will not generally notify the relevant individuals when such data is received from third parties. In certain circumstances, particularly where there is a possibility of criminal activity being identified and actioned, notification could obviously hinder this process. In other cases, the information is necessary (and failure to provide it could lead, for example, to a refused application or even an offence being committed under the Gambling Act) and/or notifying individuals would involve disproportionate effort.


Who we share personal data with

Your data may be shared with third parties who fulfil a service on our behalf, and under our express instructions. It may also be shared with other bodies where it is necessary to do so and where we are legally required or permitted to do so. This may include third party payment processors, relevant public authorities, gambling operators, sports governing bodies, other regulators and law enforcement agencies (including overseas). We also share data with third parties for the purpose of vetting applicants. Such third parties include Camelot, Experian, Disclosure and Barring Service and/or Disclosure Scotland, Serious Fraud Office, Her Majesty's Revenue and Customs and the Financial Conduct Authority. Finally, in limited circumstances we share personal data with market research organisations for research purposes.Sharing data is primarily for the purpose of performing our regulatory functions such as assessing individuals’ suitability to be licensed, but it may also be necessary to share information for other reasons, such as the prevention and detection of crime or the collection of tax and gaming duty.

Your rights

Depending upon the information we hold about you, and the reasons for our holding it, you have various rights under the GDPR/ the Data Protection Act – as set out below. If you have any questions about this, please contact our Data Protection Officer at the address stated above.

The right to rectification

You are entitled to have relevant records/ files amended if the personal data we hold is inaccurate or incomplete. This can be done by certain individuals via their eServices account.

The right to erasure

In limited circumstances you will have the right (where the data is no longer needed for the purposes it was collected, where you have withdrawn consent and there is no other lawful basis on which we can continue to process it, you object to processing and there are no overriding legitimate grounds to continue, where the data has been unlawfully processed or where the data has to be erased for compliance with a legal obligation) to request that we erase the information we hold about you.
As most of our processing is conducted in order for us to comply with a legal obligation and/or perform a public task, this right will not be available in most circumstances.

The right to restrict processing

You have the right to seek to restrict processing of your data in the following circumstances:

  • the accuracy of the data is contested – for a period necessary to allow us to verify its accuracy
  • the processing is unlawful and you request restriction instead of erasure, or
  • we no longer need the data for the purposes it was collected, but you need it in connection with a legal claim.


The right to object processing

You have the right to object to our processing of data which is done on our predominant ground for processing – the exercise of our statutory/ regulatory functions. In this case, we will stop processing unless we can demonstrate compelling legitimate grounds for continuing the processing which override your interests.

Law enforcement processing

The Data Protection Act (implementing the LED) sets out how the rights (together with rights of access – explained below) apply in circumstances where we are prosecuting/conducting law enforcement processing. This includes the prospect of certain rights being restricted (in whole or in part) where necessary and proportionate: to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or expectation of criminal penalties; to avoid obstructing an official or legal inquiry, investigation or procedure; or to protect public security, national security, or the rights and freedoms of persons other than the data subject.

Accessing your personal data

You have the right to confirmation as to whether or not we are processing your personal data and, if access the data together with the reasons we hold it, the period it will be retained and who the information has been shared with.

Your request must be in writing. You can submit your request by post or email to

The request must include:

    • your name
    • your address/ email address for sending the information to you
    • a description of the information you wish to obtain.

      To ensure confidentiality, we will need evidence which confirms your identity. A copy of photo identification, and proof of your address such as a copy of a photo driving licence or passport and a recent utility bill. Please do not send original documents.

      Most requests will receive a response within one month of receipt of a valid request; those which are more complex or numerous may take up to three months.

    You may not be entitled to see all the information held about you if an exemption under the GDPR/ the Data Protection Act applies, eg if it contains data mixed with other individuals’ data, if disclosure would prejudice the exercise of our regulatory functions or is subject to legal privilege. Requests which are manifestly unfounded or excessive will be refused.


Overseas transfers

Our systems are UK based. The prospect of international transfer of data will only generally arise in circumstances where we need to send information to our international gambling regulatory counterparts, sports governing bodies based overseas or to officials overseas in connection with regulatory or criminal investigations or processes.

Changes to this privacy statement

We keep this privacy statement under regular review and may change it from time to time. If we change this statement we will post the changes on this page, and place notices on other pages of our website as applicable.


How to contact us

Please contact our Data Protection Officer at the address stated above if you have any feedback or questions about this privacy statement.

How to complain

If you have any concerns about how we collect or process your data then you can write to our Data Protection Officer or refer to our complaints page. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Complaints can be submitted to the ICO through its helpline by calling 0303 123 1113. Further information about reporting concerns to the ICO is available here.

Do you need any extra help

If you would like this privacy statement in another format (eg audio, large print, braille) please contact us

Published on 11 May 2018