With this document you can:

This box is not visible in the printed version.

Privacy policy

The Gambling Commission privacy and cookie policy.

Published: 11 May 2018

Last updated: 17 April 2024

This version was printed or saved on: 14 October 2024

Online version: https://www.gamblingcommission.gov.uk/about-us/guide/privacy-policy

Overview: ## Privacy statement This website is operated by the Gambling Commission whose principal place of business is Victoria Square House, Victoria Square, Birmingham B2 4BP. We are an independent non-departmental public body sponsored by the Department for Digital, Culture, Media and Sport, a department of the United Kingdom government.

The Gambling Commission was set up under the Gambling Act 2005 (the Gambling Act) to regulate commercial gambling in Great Britain in partnership with licensing authorities. We also regulate the National Lottery under the National Lottery etc. Act 1993.

In order to carry out our regulatory functions and meet our legal responsibilities, we need to collect certain personal data and, when we do, we are a ‘data controller’ of that information for the purposes of the General Data Protection Regulation (the GDPR) (which applies across the European Union including the United Kingdom), the Data Protection Act 2018 (the Data Protection Act) which supplements GDPR, extends its application in the UK, and implements the Law Enforcement Directive (which relates to processing personal data for law enforcement purposes) (the LED) in the UK.

What is personal data and special category data?

Under the GDPR, personal data is defined as any information relating to an identified or identifiable natural person. It can include obvious identifiers like your name but also identification numbers, online identifiers and/or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Special category data includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation.

What personal data do we collect, for what purpose, and what is the basis for doing so?

We collect and process personal data based on one or more of the following legal bases:

We collect and process special categories of personal data based on one or more of the legal bases set out above and where one of the separate conditions for processing applies, the most likely being: processing is necessary for reasons of substantial public interest, on the basis of UK law and is proportionate to the aim pursued, or processing is necessary for the establishment, exercise or defence of legal claims.

As a regulatory body, most of the personal data that we collect and process is data relating to our regulatory functions and responsibilities. Therefore, for the most part (and for the reasons set out below), when we are processing data it will be on the basis that it is necessary for the performance of a task carried out in the public interest and/or in exercising our statutory functions. We have sought to explain how this works below and also what other lawful bases apply to our processing of data in the relevant categories.

We will also be acting as a prosecutor in relation to certain gambling offences, and processing data for this purpose. The effect of this is picked up below.

Licence applicants and National Lottery vetting

When we receive an application for a licence for a business, for a personal licence via application online, or carry out vetting processes for 'vetted roles' in relation to the National Lottery, we create or update the information we hold about that person on our systems. We use that data to decide whether to approve the application and issue the licence.

The provision of data for the purposes of licence applications and vetting processes is required by law. Failure to provide the information requested constitutes an offence under the Gambling Act and will lead to the application being refused. The provision of data for the purpose of vetting procedures is required by law under the National Lottery etc. Act 1993. If we find that any individual does not meet the necessary standards required by law, they may not be employed in a vetted role. It is also vital, of course, that care is taken to ensure that the information supplied is accurate (including in the period between the submission of the application and the date of the decision). If this is not done, there is a possibility that the licence subsequently issued may be reviewed and potentially revoked.

We are also required to conduct ‘suitability assessments’ as part of the licensing process. For this purpose, we will obtain personal data relating to applicants from third parties such as Disclosure and Barring Service/Disclosure Scotland, CreditSafe and Experian. Obtaining data from third parties is explained further below.

The licensing objectives under the Gambling Act are:

Therefore, our collection of personal data for licensing purposes may also be used to:

Fourth National Lottery Licence

Under the National Lottery Act 1993 (“the Act”), The Gambling Commission has overriding statutory duties to ensure that the National Lottery is run with all due propriety, and that the interests of all participants are protected.

It is the responsibility of the Licensee to ensure that any person who benefits from, or is involved in, the management or activities of the National Lottery, meets the Fit and Proper Requirements of the Licence.

The Licensee is required to provide requested information to the Commission for every identified Lottery Supervisor or Lottery Beneficiary to perform fit and proper checks, as well as information for any Critical Function Employee, should the Commission require it.

The Commission has engaged the services of Verifile Limited (Verifile) to undertake Fit and Proper Checks.

Verifile checks examine the identity, integrity, criminality, and financial integrity of persons requiring those fit and proper checks and produces a final report that is provided to the Commission to assess whether they meet the fit and proper requirements. The Commission will retain this report in line with Commission’s retention schedule.

Additional checks will be undertaken for Lottery Beneficiaries, whereby the Commission will use the United Kingdom (UK) Government’s National Security Vetting provider. Information pertaining to the checks will be held by the Commission in line with the Commission’s retention schedule. For further information, refer to the National Lottery Fourth Licence.

People who already hold an operating and or personal licence

We operate an eServices portal for existing licensees which allows them/ their representatives to:

This information is held for the regulatory purposes set out in the Gambling Act. This data may also be used for the additional purposes directly above for the same reasons. We publish the names of all companies and individuals who hold, or have applied for, operating licences in Great Britain. We also publish the names of companies or individuals whose licences have lapsed, been revoked, forfeited, expired, suspended or surrendered in the last three years. If a licensee is, or has been, subject to a regulatory sanction they are also listed on the regulatory action area of our website. We do this in order to comply with our legal obligations under the Gambling Act.

People we are investigating/regulatory action

The Gambling Act requires that we undertake activities for the purposes of assessing compliance with the Act/ whether any offence has been committed under the Act/and to institute criminal proceedings.

We will use personal data in the course of conducting investigations (and deciding outcomes) into the activities of personal and operator licensees.

This information may also be relevant to our wider regulatory objectives and statutory functions. We may, for example, derive information from our investigations which help us improve our understanding of the gambling market and assessment of the risks it faces (and potential risks to consumers as a result), and to seek continuous improvements in the market and our regulation of it.

As mentioned above, we will also publish regulatory action we take following our investigations.

We will also be acting as a prosecutor in relation to certain gambling offences – where the relevant provisions of the LED (as implemented by the Data Protection Act) will be engaged.

Complainant data

Our complaints page lists the sorts of complaints we may see in the course of our work (and explains how you might raise a complaint) – these include:

  1. Consumer complaints about a gambling business (save for that mentioned below, these will generally be made to the business itself first or, if necessary, by an Alternative Dispute Resolution (ADR) process)
  2. Complaints about ADR providers
  3. Whistleblowing about the way a gambling business is run
  4. Complaints about the National Lottery
  5. Complaints about the Gambling Commission.

When we receive any such complaint, we will create a complaint file which will identify the complainant (and include their contact details) and others who may be named in the complaint.

We will ordinarily have to share the complainant’s identity with the operator or person complained about. It may be necessary for the person complained about to access any relevant information they hold on a complainant (for example, relevant customer account details, history) to help us resolve the complaint. The more complete a picture that we have of the issues complained about, the better prospect we will have in dealing with it effectively. If a complainant tells us that they do not want to be identified to the operator/ person complained about, we will try to respect that. But where there is an overarching public interest to progress a complaint made, which cannot be done without disclosing the complainant’s identity, we may decide to do so.

A complaint may also lead to regulatory action as set out above; as such, the relevant data may also form part of the investigation file.

We may publish research or statistics regarding the complaints we deal with in a relevant period; but we will not do this in a way which identifies individual complainants.

Gambling Commission Consultations

As part of the Gambling Commission’s regulatory responsibilities, it will publish consultations on various topics, seeking the views of the industry, companies, parliamentarians, researchers and the public.

We will process your personal data for the purpose of informing the development of our policy, guidance and other regulatory work in the subject area of the consultation. If contact details are provided, we may use these to monitor responses or contact you in relation to the consultation.

We may publish a summary of the consultation responses, but these will not contain any personal data. We may decide to publish your name (and on whose behalf you have responded) to indicate that you have responded to this consultation, we will only ever do this with your consent.

The lawful basis we are relying on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary for the performance of our public tasks in our capacity as a regulator.

If we do need to contact you in relation to your consultation response the lawful basis we are relying on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data where this is necessary for the purposes of the legitimate interests pursued by the Commission or by a third party.

What are your rights?

You have the right to request access to the personal data that we hold about you. You have the right to ask for your personal data to be rectified or erased, or to restrict the way in which we process it. You have the right to object to the processing of your personal data. If you are unhappy with the way in which we have processed your personal data then you have the right to complain to a supervisory authority.

If you wish to exercise any of these rights, please email GDPR@gamblingcommission.gov.uk stating your name, email address and the consultation(s) to which you responded.

Do we use any data processors?

If we are using a third party as part of a consultation you will be informed of this and provided with any additional information that may be required as per data protection requirements.

What are cookies?

Cookies are small text files containing a string of characters that can be placed on your phone, tablet or computer that uniquely identify your browser or device.

Cookies tell us if your phone, tablet or computer has visited the site before. They help us understand how the site is being used, help you navigate between pages efficiently, help remember your preferences, and generally improve your browsing experience.

Any changes to how your cookie data is processed will be promptly reflected in this policy and will immediately apply to you and your data. If these changes affect how your data is processed, the Gambling Commission will take reasonable steps to let you know.

Cookies cannot be used to identify you personally. These pieces of information are used to improve services for you through, for example:

Our use of cookies

Google Analytics

We use Google Analytics software (Google Analytics 4) to collect anonymised information about how you use this site. We do this to help make sure the site is meeting the needs of its users and to help us make improvements.

We do not allow Google to use or share the data about how you use this site.

Google Analytics stores information about:

Find details about Google Analytics cookie usage on websites (opens in new tab)

Microsoft Clarity

We partner with Microsoft Clarity to capture how you use and interact with our website through behavioural metrics, heatmaps, and session replay to make improvements to the website.

Website usage data is captured using ‘first’ and ‘third-party’ cookies and other tracking technologies for site optimization, fraud, and security purposes.

For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement (opens in new tab).

YouTube videos

Some website pages may contain content from other sites, like YouTube, which may set their own cookies. These sites are sometimes called ‘third party’ services. This tells us how many people are seeing the content and whether it’s useful.

In addition, if you share a link to one of our website pages, the service you share it on (for example, Facebook) may set a cookie. We have no control over cookies set on other websites – you can turn them off, but not through us.

Cookies use

Find details about the cookies we use on the Gambling Commission website.

The following table details what cookies we use within our services.

What cookies we use within our services.
Service Name Purpose Expires If disabled
Application online .AppOnline Anti-forgery token to prevent fraudulent use of form submissions On browser close Service will not be usable
Application online ASP.NET_SessionId Session ID On browser close Service will not be usable
Apply for a personal licence .AspNetCore.Antiforgery.<UniqueId> Anti-forgery token to prevent fraudulent use of form submissions On browser close Service will not be usable
Apply for a personal licence GCAuth Session ID On browser close Service will not be usable
Apply for a personal licence GCSession Session ID while in a specific application On browser close Service will not be usable
eServices _RequestVerificationToken_<UniqueId> Anti-forgery token to prevent fraudulent use of form submissions On browser close Enables fraudulent activity and rogue form submissions
eServices Eservices Session ID for the user On browser close Service will not usable
eServices Eservices.AccountUser Session ID for the account the user is logged in as 1 hour Service will not be usable
eServices .OLEOnline Randomly generated session ID On browser close Service will not be usable
LA returns GCOR Anti-forgery token to prevent fraudulent use of form submissions On browser close Service will not be usable
LA returns ASP.NET_SessionId Session ID On browser close Service will not be usable
Manage your personal licence ai_session This is a unique anonymous session identifier cookie.

Cookies set by Microsoft Application Insights, which allow Insights to monitor the health and status of the server and website.
On browser close Performance information will not be collected
Manage your personal licence ai_user This is a unique user identifier cookie enabling counting of the number of users accessing the application over time.

Cookies set by Microsoft Application Insights, which allow Insights to monitor the health and status of the server and website.
1 year Performance information will not be collected
Manage your personal licence .AspNetCore.Antiforgery.<UniqueId> Anti-forgery token to prevent fraudulent use of form submissions On browser close Service will not be usable

How we use information website visitors provide us with

We do not use cookies for collecting user information. Except as otherwise stated, we may use information visitors provide via this website to communicate information to them (if they have requested it) and for internal marketing and research purposes. We do not disclose any information visitors provide via the website to any third parties or other government departments except where:

We take reasonable precautions to prevent the loss, misuse, or alteration of data that visitors give us. If you would like us to correct or update any information, or if you would like information deleted from our records, then please contact us on DPO@gamblingcommission.gov.uk, or write to:

Data Protection Officer
Gambling Commission
Victoria Square House
Victoria Square
Birmingham
B2 4BP

GDPR@gamblingcommission.gov.uk

User research

Purpose for processing

The purpose for collecting your personal data is so that you can register for our user research programme. We may then contact you about upcoming sessions within the user research programme, which you may want to get involved in.

The legal basis we rely on for processing your personal data is consent under article 6(1)(a) of the General Data Protection Regulation (GDPR).

We have a legal obligation to make our services accessible, in order to do this, we will also collect information from you about your accessibility requirements. The legal basis we rely on for processing this information is consent under Article 9(2)(a) of the GDPR.

What we need

We need the following pieces of data:

Why we need it

We will use your name, email address and telephone number to contact you about upcoming user research sessions.

We will use the remaining data to identify individuals that belong to specific user groups, who we would like to participate in an upcoming user research session.

What we do with it

We only use your personal data as part of the user research programme. You will receive a confirmation email once you have registered for the user research programme.

We may then send you an email about upcoming user research sessions that you may be interested in. You will be provided with some background information of what to expect and a consent form to sign.

You have no obligation to participate in a user research session. If you do want to participate, you can opt out or stop the user research session at any time.

You can opt out of the user research programme at any time, which will mean you would not get any future correspondence about upcoming user research sessions.

Once we receive your consent, we will allocate a participant number against your personal data. This participant number will then be used to record your feedback within a separate document. Your personal data will not be shared with anyone else.

You can opt out of the user research programme at any time, which will mean you would not get any future correspondence about upcoming user research sessions. To opt out emailing us at userresearch@gamblingcommission.gov.uk and we will remove your details.

How long we keep it

We will keep your personal data within the user research programme for 3 years. Before this time is due to lapse, we will contact you to see if you would like to still be registered.

Once you have consented for a user research session, we will retain your personal data against a participant number for 12 months. The feedback provided against the participant number will be retained until it is no longer relevant or necessary.

What are your rights?

If you want to know more about your rights, please refer to the Your rights section within this privacy statement.

Do we use data processors?

Yes - we use GOV.UK Notify to send out emails on our behalf. For more information, please see GOV.UK Notify’s privacy notice (opens in new tab). You will be informed of any other processor(s) used as part of the initiative you take part in.

Links to other websites

How long we keep the information

We operate under a detailed data retention policy which sets out how long certain categories of data will be retained and/or how often certain data will be reviewed for the purpose of assessing whether it needs to be retained. We have four main retention periods:

Fourth National Lottery Licence

Personal data collected and processed for the purposes of fit and proper checks on Applicants (and other key individuals) of the Fourth National Lottery Licence shall be retained until August 2025.

Personal data collected and processed for the purposes of fit and proper checks on the licensee of the Fourth National Lottery Licence (the successful Applicant and other key individuals) shall be retained for the life of licence plus 7 years.

Keeping your personal information secure

We have a duty to, amongst other things:

We will use technical and organisational measures in accordance with good industry practice to safeguard your information. For example, we follow best practice in line with the ISO:27001 – the ISO standard on information security and hold cyber essentials.

Obtaining data from third parties

In accordance with our statutory functions and powers, we will obtain data from third parties in the following ways (and for the following reasons):

In each case, the information is important to the exercise of our regulatory functions; and, we will not generally notify the relevant individuals when such data is received from third parties. In certain circumstances, particularly where there is a possibility of criminal activity being identified and actioned, notification could obviously hinder this process. In other cases, the information is necessary (and failure to provide it could lead, for example, to a refused application or even an offence being committed under the Gambling Act) and/or notifying individuals would involve disproportionate effort.

Who we share personal data with

Your data may be shared with third parties who fulfil a service on our behalf, and under our express instructions. It may also be shared with other bodies where it is necessary to do so and where we are legally required or permitted to do so. This may include:

We also share data with third parties for the purpose of vetting applicants. Such third parties include:

Finally, in limited circumstances we share personal data with market research organisations for research purposes. Sharing data is primarily for the purpose of performing our regulatory functions such as assessing individuals’ suitability to be licensed, but it may also be necessary to share information for other reasons, such as the prevention and detection of crime or the collection of tax and gaming duty.

Your rights

Depending upon the information we hold about you, and the reasons for our holding it, you have various rights under the GDPR/ the Data Protection Act – as set out below. If you have any questions about this, please contact our Data Protection Officer at the address stated above.

The right to rectification

You are entitled to have relevant records/ files amended if the personal data we hold is inaccurate or incomplete. This can be done by certain individuals via their eServices account.

The right to erasure

In limited circumstances you will have the right (where the data is no longer needed for the purposes it was collected, where you have withdrawn consent and there is no other lawful basis on which we can continue to process it, you object to processing and there are no overriding legitimate grounds to continue, where the data has been unlawfully processed or where the data has to be erased for compliance with a legal obligation) to request that we erase the information we hold about you.

As most of our processing is conducted in order for us to comply with a legal obligation and/or perform a public task, this right will not be available in most circumstances.

The right to restrict processing

You have the right to seek to restrict processing of your data in the following circumstances:

The right to object processing

You have the right to object to our processing of data which is done on our predominant ground for processing – the exercise of our statutory/ regulatory functions. In this case, we will stop processing unless we can demonstrate compelling legitimate grounds for continuing the processing which override your interests.

Law enforcement processing

The Data Protection Act (2018) (opens in new tab) (implementing the LED) sets out how the rights (together with rights of access – explained below) apply in circumstances where we are prosecuting/conducting law enforcement processing. This includes the prospect of certain rights being restricted (in whole or in part) where necessary and proportionate: to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or expectation of criminal penalties; to avoid obstructing an official or legal inquiry, investigation or procedure; or to protect public security, national security, or the rights and freedoms of persons other than the data subject.

Accessing your personal data

You have the right to confirmation as to whether or not we are processing your personal data and, if access the data together with the reasons we hold it, the period it will be retained and who the information has been shared with.

Your request must be in writing. You can submit your request by post or email to SAR@gamblingcommission.gov.uk

The request must include:

To ensure confidentiality, we will need evidence which confirms your identity. A copy of photo identification, and proof of your address such as a copy of a photo driving licence or passport and a recent utility bill. Please do not send original documents.

Most requests will receive a response within one month of receipt of a valid request; those which are more complex or numerous may take up to three months.

You may not be entitled to see all the information held about you if an exemption under the GDPR/ the Data Protection Act applies, for example if it contains data mixed with other individuals’ data, if disclosure would prejudice the exercise of our regulatory functions or is subject to legal privilege. Requests which are manifestly unfounded or excessive will be refused.

Overseas transfers

Our systems are UK based. The prospect of international transfer of data will only generally arise in circumstances where we need to send information to our international gambling regulatory counterparts, sports governing bodies based overseas or to officials overseas in connection with regulatory or criminal investigations or processes.

Changes to this privacy statement

We keep this privacy statement under regular review and may change it from time to time. If we change this statement we will post the changes on this page, and place notices on other pages of our website as applicable.

Stakeholder events privacy notice

Purpose for processing

The purpose for collecting your personal data is so that we can communicate with you about our events. We may ask you for your consent for your name and email address to be shared amongst the other attendees of any event for the purposes of networking and building relationships.

What we need

If you wish to attend one of our events, you will be asked to provide your contact information including your name, the organisation you work for (if you are attending on their behalf) and, if offered a place, information about any dietary requirements or accessibility requirements you may need.

The legal basis we rely on for processing your personal data is consent under article 6(1)(a) of the General Data Protection Regulation (GDPR).

Where we have collected personal information relating to your accessibility and dietary requirements we rely on consent as the legal basis for processing this information under Article 9(2)(a) of the GDPR.

Why we need it

We will use your contact details to communicate with you about the event and also to ensure that we can accommodate your personal requirements.

What we do with it

We only use your personal data to invite you to events and keep you updated afterwards. You will receive initial invitations to events, reminder emails and, if you are allocated a place, any pre-event information. After the event, we may share a write up of the discussions and our plans for next steps.

We may ask you for your consent for your name and email address to be shared amongst the other attendees of any event for the purposes of networking and building relationships. Your personal data will not be shared with anyone else, except for the below specific events:

We will ask for your consent to email you about future events that you may be interested in.

You have no obligation to participate in events. If you do want to participate, you can opt out at any time. If you opt out, this will mean you won’t get any future correspondence about upcoming events from us. If you wish to opt out, please contact us

Where you have provided us with information about dietary and accessibility requirements we will share anonymised information with the venue.

How long we keep it

We will keep your personal data within our contacts list for 3 years from when we last contacted you, at which point we will either delete it or contact you again to regain your consent.

Information that we collect relating to your dietary and accessibility requirements will be deleted after the event.

What are your rights?

If you want to know more about your rights, please refer to the Your rights section within the Gambling Commission privacy statement.

Do we use data processors?

Yes - we use Mailchimp, SurveyMonkey and Eventbrite to send out emails on our behalf for events. For more information, please see their privacy policies:

You will be informed of any other processor/s used as part of the event you take part in.

Recruitment privacy notice 2024

As part of any recruitment process, the organisation collects and processes personal data relating to job applicants. The organisation is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.

What information does the organisation collect?

The organisation collects a range of information about you. This includes:

The organisation collects this information from you in a variety of ways. For example, data might be contained in application forms, CVs or resumes, obtained from your passport or other identity documents, or collected through interviews or other forms of assessment, including online tests.

The organisation will also collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers and information from criminal records check providers.

The organisation will seek information from third parties only once a job offer has been made to you and will inform you that it is doing so.

Data will be stored in a range of different places, including on your application record, in HR management systems and on other IT systems (including email).

Why does the organisation process personal data?

The organisation needs to process data to take steps at your request prior to entering into a contract with you. It also needs to process your data to enter into a contract with you.

In some cases, the organisation needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check a successful applicant's eligibility to work in the UK before employment starts.

The organisation has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process.

Processing data from job applicants allows the organisation to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. The organisation may also need to process data from job applicants to respond to and defend against legal claims.

Where the organisation relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of the applicants and has concluded that they are not. The organisation processes health information if it needs to make reasonable adjustments to the recruitment process for candidates who have a disability. This is to carry out its obligations and exercise specific rights in relation to employment.

Where the organisation processes other special categories of data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is for equal opportunities monitoring purposes.

For some roles, the organisation is obliged to seek information about criminal convictions and offences. Where the organisation seeks this information, it does so because it is necessary for it to carry out its obligations and exercise specific rights in relation to employment. The organisation has in place an appropriate policy document and safeguards which it is required under the relevant legislation to maintain when processing such data.

If your application is unsuccessful, the organisation will keep your personal data on file in case there are future employment opportunities for which you may be suited. The organisation will ask for your consent before it keeps your data for this purpose and you are free to withdraw your consent at any time by contacting HR Services by email at recruitment@gamblingcommission.gov.uk.

Who has access to data?

Your information will be shared internally for the purposes of the recruitment exercise.

This includes members of the HR and recruitment team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles. The organisation will not share your data with third parties, unless your application for employment is successful and it makes you an offer of employment.

The organisation will then share your data with former employers to obtain references for you, employment background check providers to obtain necessary background checks and the Disclosure and Barring Service to obtain necessary criminal records checks.

The organisation will not transfer your data outside the European Economic Area.

How does the organisation protect data?

The organisation takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties. Our Information Security Policy and Data Protection Policy, which may be obtained by contacting HR Services by email at recruitment@gamblingcommission.gov.uk, provides more information on how we keep your data safe and secure.

For how long does the organisation keep data?

If you enter into a selection process for a specific vacancy and your application for employment is then unsuccessful, the organisation will hold your data on file for 6 months after the end of the relevant recruitment process in accordance with our Data Retention Policy.

If you agree to allow the organisation to keep your personal data on file for longer, by ticking the box at the end of this Privacy Notice, the organisation will hold your data on file for 12 months from date of application for consideration for both this role and future employment opportunities. At the end of that period or once you withdraw your consent, your data will be securely deleted or destroyed.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held will be provided to you in a new privacy notice.

Your rights

As a data subject, you have a number of rights. You can:

If you would like to exercise any of these rights, please contact HR Services by email at recruitment@gamblingcommission.gov.uk.

You can make a subject access request by completing the organisation's form for making a subject access request.

If you believe that the organisation has not complied with your data protection rights, you can complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.

You can find out more information on data subject rights on the ICO website (opens in a new tab).

What if you do not provide personal data

You are under no statutory or contractual obligation to provide data to the organisation during the recruitment process. However, if you do not provide the information, the organisation may not be able to process your application properly or at all.

You are under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.

Automated decision-making

Recruitment processes are not based solely on automated decision-making. However, If you do not consent to Disclosure and Barring Service checks, your application will be rejected by the system automatically and an email will be sent to you confirming this.

Monitoring social media

We monitor publicly available social media data, using a commercially available automated social media monitoring tool which gathers information and monitors content about topics related to our functions through publicly available information on platforms such as Twitter, Facebook, Instagram and LinkedIn.

We currently use the social media analytics tool, Orlo.

What personal information we need

We may collect personal information of social media users if users:

The data gathered through tools may include social media handles and content from posts which are publicly available.

Our legal basis for collecting this personal information is that it is necessary for the purposes of our or your legitimate interests to monitor public sentiment, pick up on developing trends and communicate with customers.

We do not actively collect special category personal data in our social media monitoring, but we may process such data in monitoring social media content where such data is included in social media posts. Special category data includes information about your health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, sex life or sexual orientation. Our lawful basis for processing this information is:

What we do with it

The data we obtain through social media monitoring is used to help us respond to posts and messages and to monitor overall engagement with our content as well as mentions of our organisation, and related topics.

Anonymised insight reports will be prepared for internal use and will generally use aggregated data. However, individual quotes may be captured as examples and used to describe the general attitude towards the Commission, gambling or related topics.

Data may have been subject to automated decision-making to identify it as falling within a search description or sentiment.

We do not have any influence on the scope of data that is collected by social networks through their sites. If you use them, you should check the policies of the relevant platforms to understand how they protect your data.

How long we keep it

We will from time to time retain identifiable information that is downloaded from our social media monitoring in order to compile reports. Reports will be deleted within one month of being downloaded. Personal data will be stored for a maximum of up to two years on our social media analytics tool and will then be deleted.

Data gathered by Orlo will be stored according to their protocols. Please review Orlo’s privacy notices (opens in new tab) to understand how it uses your personal data.

Who we share your personal information with

Orlo processes your publicly available personal information on our behalf. We have a contract in place with Orlo and they are required to comply with law, only act on our instructions, to not share it with others unless we give permission, and to keep your personal information secure.

Any personal information downloaded from monitoring tools onto our IT systems will be shared with our IT suppliers who provide email, and document management and storage services.

How to contact us

If you would like to contact us with any Data Protection issues then please contact us on DPO@gamblingcommission.gov.uk.

How to complain privacy policy

If you have any concerns about how we collect or process your data then you can write to our Data Protection Officer or refer to our complaints page. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Complaints can be submitted to the ICO through its helpline by calling 0303 123 1113. Further information about reporting concerns to the ICO is available on the ICO website (opens in new tab).

Do you need any extra help?

If you would like this privacy statement in another format (for example, audio, large print, braille) please contact us communications@gamblingcommission.gov.uk