The Gambling Commission website uses cookies to make the site work better for you. Some of these cookies are essential to how the site functions and others are optional. Optional cookies help us remember your settings, measure your use of the site and personalise how we communicate with you. Any data collected is anonymised and we do not set optional cookies unless you consent.

Set cookie preferences

You've accepted all cookies. You can change your cookie settings at any time.

Skip to main content

Privacy policy

Privacy statement

This website is operated by the Gambling Commission whose principal place of business is Victoria Square House, Victoria Square, Birmingham B2 4BP. We are an independent non-departmental public body sponsored by the Department for Digital, Culture, Media and Sport, a department of the United Kingdom government.

The Gambling Commission was set up under the Gambling Act 2005 (the Gambling Act) to regulate commercial gambling in Great Britain in partnership with licensing authorities. We also regulate the National Lottery under the National Lottery etc. Act 1993.

In order to carry out our regulatory functions and meet our legal responsibilities, we need to collect certain personal data and, when we do, we are a ‘data controller’ of that information for the purposes of the General Data Protection Regulation (the GDPR) (which applies across the European Union including the United Kingdom), the Data Protection Act 2018 (the Data Protection Act) which supplements GDPR, extends its application in the UK, and implements the Law Enforcement Directive (which relates to processing personal data for law enforcement purposes) (the LED) in the UK.

What is personal data and special category data?

Under the GDPR, personal data is defined as any information relating to an identified or identifiable natural person. It can include obvious identifiers like your name but also identification numbers, online identifiers and/or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Special category data includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation.

What personal data do we collect, for what purpose and what is the basis for doing so?

We collect and process personal data based on one or more of the following legal bases:

  • Consent: the individual has given clear consent for us to process their personal data for a specific purpose
  • Contract: the processing is necessary for a contract we have with the individual or their organisation, or because they have asked us to take specific steps before entering into a contract
  • Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations)
  • Vital interests: the processing is necessary to protect someone’s life
  • Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.

We collect and process special categories of personal data based on one or more of the legal bases set out above and where one of the separate conditions for processing applies, the most likely being: processing is necessary for reasons of substantial public interest, on the basis of UK law and is proportionate to the aim pursued, or processing is necessary for the establishment, exercise or defence of legal claims.

As a regulatory body, most of the personal data that we collect and process is data relating to our regulatory functions and responsibilities. Therefore, for the most part (and for the reasons set out below), when we are processing data it will be on the basis that it is necessary for the performance of a task carried out in the public interest and/or in exercising our statutory functions. We have sought to explain how this works below and also what other lawful bases apply to our processing of data in the relevant categories.

We will also be acting as a prosecutor in relation to certain gambling offences, and processing data for this purpose. The effect of this is picked up below.

Licence applicants and National Lottery vetting

When we receive an application for a licence for a business, for a personal licence via application online, or carry out vetting processes for 'vetted roles' in relation to the National Lottery, we create or update the information we hold about that person on our systems. We use that data to decide whether to approve the application and issue the licence.

The provision of data for the purposes of licence applications and vetting processes is required by law. Failure to provide the information requested constitutes an offence under the Gambling Act and will lead to the application being refused. The provision of data for the purpose of vetting procedures is required by law under the National Lottery etc. Act 1993. If we find that any individual does not meet the necessary standards required by law, they may not be employed in a vetted role. It is also vital, of course, that care is taken to ensure that the information supplied is accurate (including in the period between the submission of the application and the date of the decision). If this is not done, there is a possibility that the licence subsequently issued may be reviewed and potentially revoked.

We are also required to conduct ‘suitability assessments’ as part of the licensing process. For this purpose, we will obtain personal data relating to applicants from third parties such as Disclosure and Barring Service/Disclosure Scotland, CreditSafe and Experian. Obtaining data from third parties is explained further below.

The licensing objectives under the Gambling Act are:

  • preventing gambling from being a source of crime and disorder, being associated with crime or disorder or being used to support crime
  • ensuring that gambling is conducted in a fair and open way
  • protecting children and other vulnerable people from being harmed or exploited by gambling.

Therefore, our collection of personal data for licensing purposes may also be used to:

  • comply with our statutory function and legal obligations
  • inform our regulatory work in accordance with these objectives – including investigations and enforcement
  • assist other regulators or law enforcement agencies
  • check our level of service and to help us improve things where we can
  • conduct research/ collate statistics for publication and/or for the purposes of formulation of policy. Although, in this case, the persons’ data will not identify individuals (in other words, it will be anonymised).

Fourth National Lottery Licence

Under the National Lottery Act 1993, the Gambling Commission must ensure that the Licensee is fit and proper to operate the National Lottery.

As part of competition for the Fourth National Lottery Licence and to ensure the Gambling Commission complies with this legal obligation, the Commission will carry out fit and proper checks during the competition on all applicants and also key individuals or entities who appear to the Commission to be likely to manage the business or any part of the business of running the National Lottery and who would benefit from the running of the National Lottery, should the applicant be successful.

Fit and proper checks examine the identity, integrity, criminality and financial integrity of those operating or benefiting from the National Lottery (or applying to do so). When undertaking fit and proper checks we will collect and process the following personal data of the applicant and the key individuals who fulfil the description set out above:

Individual vetting applications:

― After the application is determined, the Commission will only retain the application form and the Fit & Proper letter issued to the Applicant, all other documents are deleted.

Corporate vetting applications:

― After the application is determined, the Commission will retain Declaration, Memorandum & Articles of Association, Form of Authority & Waiver; Licence agreements and our Fit & Proper letter (with all else being deleted upon finalising the application):

We may contact the following agencies to report on spent and unspent convictions, cautions, penalties, fines and intelligence:

― Disclosure Scotland & Disclosure & Barring Services ― FCA ― Insolvency Agency ― HMRC ― Serious Fraud Office ― Security Services

Our purpose for collecting and processing this personal data is to ensure the applicant and key individuals or entities who will benefit from the running of the National Lottery (should the applicant be successful) are fit and proper.

Our lawful basis for processing personal data for this purpose is to comply with our legal obligation under the National Lottery Act 1993. To the extent that fit and proper checks return details of previous criminal convictions or we otherwise process criminal offence data as part of the fit and proper checks, our condition for processing criminal offence data, under schedule 1 of the Data Protection Act 2018, will be to perform our statutory and government purposes.

For further information, applicants should refer to the other sections of this privacy statement and the guidance note “Information for applicants: Fit and Proper Checks during the Competition for the Fourth National Lottery Licence”.

The successful applicant, will be subject to ongoing obligations in respect of fit and proper checks in accordance with the Fourth National Lottery Licence.

People who already hold an operating and or personal licence

We operate an eServices portal for existing licensees which allows them/ their representatives to:

  • (operators) apply for additional licences, add/ remove/change licence activities, submit key events and Licence conditions and codes of practice (LCCP) notifications, submit regulatory returns or audits, and pay invoices using a credit or debit card
  • (personal licensees) download a copy of their licence, submit key events and LCCP notifications, and submit Personal Licence Maintenance forms (which are required to ensure information is up to date – every five years).

This information is held for the regulatory purposes set out in the Gambling Act. This data may also be used for the additional purposes directly above for the same reasons. We publish the names of all companies and individuals who hold, or have applied for, operating licences in Great Britain. We also publish the names of companies or individuals whose licences have lapsed, been revoked, forfeited, expired, suspended or surrendered in the last three years. If a licensee is, or has been, subject to a regulatory sanction they are also listed on the regulatory action area of our website. We do this in order to comply with our legal obligations under the Gambling Act.

People we are investigating/regulatory action

The Gambling Act requires that we undertake activities for the purposes of assessing compliance with the Act/ whether any offence has been committed under the Act/and to institute criminal proceedings.

We will use personal data in the course of conducting investigations (and deciding outcomes) into the activities of personal and operator licensees.

This information may also be relevant to our wider regulatory objectives and statutory functions. We may, for example, derive information from our investigations which help us improve our understanding of the gambling market and assessment of the risks it faces (and potential risks to consumers as a result), and to seek continuous improvements in the market and our regulation of it.

As mentioned above, we will also publish regulatory action we take following our investigations.

We will also be acting as a prosecutor in relation to certain gambling offences – where the relevant provisions of the LED (as implemented by the Data Protection Act) will be engaged.

Complainant data

Our complaints page lists the sorts of complaints we may see in the course of our work (and explains how you might raise a complaint) – these include:

  1. Consumer complaints about a gambling business (save for that mentioned below, these will generally be made to the business itself first or, if necessary, by an Alternative Dispute Resolution (ADR) process)
  2. Complaints about ADR providers
  3. Whistleblowing about the way a gambling business is run
  4. Complaints about the National Lottery
  5. Complaints about the Gambling Commission.

When we receive any such complaint, we will create a complaint file which will identify the complainant (and include their contact details) and others who may be named in the complaint.

We will ordinarily have to share the complainant’s identity with the operator or person complained about. It may be necessary for the person complained about to access any relevant information they hold on a complainant (eg relevant customer account details, history) to help us resolve the complaint. The more complete a picture that we have of the issues complained about, the better prospect we will have in dealing with it effectively. If a complainant tells us that they do not want to be identified to the operator/ person complained about, we will try to respect that. But where there is an overarching public interest to progress a complaint made, which cannot be done without disclosing the complainant’s identity, we may decide to do so.

A complaint may also lead to regulatory action as set out above; as such, the relevant data may also form part of the investigation file.

We may publish research or statistics regarding the complaints we deal with in a relevant period; but we will not do this in a way which identifies individual complainants.

Gambling Commission Consultations

As part of the Gambling Commission’s regulatory responsibilities, it will publish consultations on various topics, seeking the views of the industry, companies, parliamentarians, researchers and the public.

We will process your personal data for the purpose of informing the development of our policy, guidance and other regulatory work in the subject area of the consultation. If contact details are provided, we may use these to monitor responses or contact you in relation to the consultation.

We may publish a summary of the consultation responses, but these will not contain any personal data. We may decide to publish your name (and on whose behalf you have responded) to indicate that you have responded to this consultation, we will only ever do this with your consent.

The lawful basis we are relying on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary for the performance of our public tasks in our capacity as a regulator.

What are your rights?

You have the right to request access to the personal data that we hold about you. You have the right to ask for your personal data to be rectified or erased, or to restrict the way in which we process it. You have the right to object to the processing of your personal data. If you are unhappy with the way in which we have processed your personal data then you have the right to complain to a supervisory authority.

If you wish to exercise any of these rights, please email stating your name, email address and the consultation(s) to which you responded.

Do we use any data processors?

If we are using a third party as part of a consultation you will be informed of this and provided with any additional information that may be required as per data protection requirements.

What are cookies?

When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your device, for example, computer or mobile phone. These include small files known as cookies. They cannot be used to identify you personally. These pieces of information are used to improve services for you through, for example:

  • enabling a service to recognise your device so you don’t have to give the same information several times during one task
  • recognising that you may already have given a username and password so you don’t need to do it for every web page requested
  • measuring how many people are using services, so they can be made easier to use and there’s enough capacity to ensure they are fast.

You can manage these small files yourself and learn more about them through cookies – what they are and how to manage them. Our use of cookies

Our use of cookies

Usage analysis: We use Google Analytics to create anonymous cookies and log the IP addresses of visitors. We do not collect any personal information in the process. We collect this data to assess which parts of the website are the most popular and identify trends in usage, helping to guide the development of new web pages.

Table of detailing what cookies we use on the website

ServiceNamePurposeExpiresIf disabled
eServices_RequestVerificationTokenAnti-forgery token to prevent fraudulent use of form submissionsOn browser closeEnables fraudulent activity and rogue form submissions
eServicesEservicesSession ID for the userOn browser closeService won’t be usable
eServicesEservices.AccountUserSession ID for the account the user is logged in as1 HourService won’t be usable
eServices.OLEOnlineRandomly generated session IDOn browser closeService won’t be usable
Application Online_RequestVerificationTokenAnti-forgery token to prevent fraudulent use of form submissionsOn browser closeAs eServices
Application OnlineASP.NET_SessionIdSession IDOn browser closeService won’t be usable
LA Returns_RequestVerificationTokenAnti-forgery token to prevent fraudulent use of form submissionsOn browser closeService won’t be usable
LA ReturnsASP.NET_SessionIdSession IDOn browser closeAs eServices
PL eServicesASP.NET_SessionIdSession IDOn browser closeService won’t be usable
All (Incl. External website)_UTMA through to _UTMZ, _ga and _gidGoogle Analytics cookies (opens in new tab)Differs by cookie, seelinkNo impact to service if disabled
Public Register and Fee Calculator_RequestVerificationTokenAnti-forgery token to prevent fraudulent use of form submissionsOn browser closeAs eServices
Public Register and Fee CalculatorASP.NET_SessionIdSession IDService won’t be usable

How we use information website visitors provide us with

We do not use cookies for collecting user information. Except as otherwise stated, we may use information visitors provide via this website to communicate information to them (if they have requested it) and for internal marketing and research purposes. We do not disclose any information visitors provide via the website to any third parties or other government departments except where:

  • such disclosures are necessary to fulfil our service obligations to them, in which case we will require such third parties to agree to treat it in accordance with this Privacy Policy
  • required by applicable laws, court orders or government regulations (for example to prevent or detect crime) or they give us permission to do so.

We take reasonable precautions to prevent the loss, misuse, or alteration of data that visitors give us. If you would like us to correct or update any information, or if you would like information deleted from our records, then please contact us on, or write to:

Data Protection Officer
Gambling Commission
Victoria Square House
Victoria Square
B2 4BP

User research

Purpose for processing

The purpose for collecting your personal data is so that you can register for our user research programme. We may then contact you about upcoming sessions within the user research programme, which you may want to get involved in.

The legal basis we rely on for processing your personal data is consent under article 6(1)(a) of the General Data Protection Regulation (GDPR).

We have a legal obligation to make our services accessible, in order to do this, we will also collect information from you about your accessibility requirements. The legal basis we rely on for processing this information is consent under Article 9(2)(a) of the GDPR.

What we need

We need the following pieces of data:

  • Your name
  • Your email address
  • Your telephone number
  • What country you are located in
  • An indication of how you would best describe yourself in relation to the gambling industry
  • Whether you hold a gambling licence or not
  • How you would like to take part in user research
  • How you found out about the user research programme
  • Whether you use any specialist equipment when using the internet
  • How you would score yourself on a scale of expertise in terms of technology

Why we need it

We will use your name, email address and telephone number to contact you about upcoming user research sessions.

We will use the remaining data to identify individuals that belong to specific user groups, who we would like to participate in an upcoming user research session.

What we do with it

We only use your personal data as part of the user research programme. You will receive a confirmation email once you have registered for the user research programme.

We may then send you an email about upcoming user research sessions that you may be interested in. You will be provided with some background information of what to expect and a consent form to sign.

You have no obligation to participate in a user research session. If you do want to participate, you can opt out or stop the user research session at any time.

You can opt out of the user research programme at any time, which will mean you won’t get any future correspondence about upcoming user research sessions.

Once we receive your consent, we will allocate a participant number against your personal data. This participant number will then be used to record your feedback within a separate document. Your personal data will not be shared with anyone else.

You can opt out of the user research programme at any time, which will mean you won’t get any future correspondence about upcoming user research sessions. To opt out emailing us at and we will remove your details.

How long we keep it

We will keep your personal data within the user research programme for 3 years. Before this time is due to lapse, we will contact you to see if you would like to still be registered.

Once you have consented for a user research session, we will retain your personal data against a participant number for 12 months. The feedback provided against the participant number will be retained until it is no longer relevant or necessary.

What are your rights?

If you want to know more about your rights, please refer to the Your rights section within this privacy statement.

Do we use data processors?

Yes - we use GOV.UK Notify to send out emails on our behalf. For more information, please see GOV.UK Notify’s privacy notice (opens in new tab). You will be informed of any other processor/s used as part of the initiative you take part in.

How long we keep the information

We operate under a detailed data retention policy which sets out how long certain categories of data will be retained and/or how often certain data will be reviewed for the purpose of assessing whether it needs to be retained. We have four main retention periods:

  • 25 years: for data relating to research
  • 10 years for data associated with contracts that we have entered into and also for enforcement activities
  • 5 years for data relating to Regulation of Investigatory Powers Act 2000, intelligence activities and reports, licensee and operator documents (including correspondence, reports, reviews and assessments)
  • 3 years for data relating to call centre records and complaints.

Fourth National Lottery Licence

Personal data collected and processed for the purposes of fit and proper checks on Applicants (and other key individuals) of the Fourth National Lottery Licence shall be retained until August 2025.

Personal data collected and processed for the purposes of fit and proper checks on the licensee of the Fourth National Lottery Licence (the successful Applicant and other key individuals) shall be retained for the life of licence plus 7 years.

Keeping your personal information secure

We have a duty to, amongst other things:

  • keep sufficient information to provide services and fulfil our legal responsibilities
  • keep your records secure and accurate
  • only keep information as long as it is required.

We will use technical and organisational measures in accordance with good industry practice to safeguard your information. For example, we follow best practice in line with the ISO:27001 – the ISO standard on information security and hold cyber essentials.

Obtaining data from third parties

In accordance with our statutory functions and powers, we will obtain data from third parties in the following ways (and for the following reasons):

  • in order to confirm information supplied to us in the licensing application process and/or for the purposes of suitability assessments. This may include data organisations such as CreditSafe and Experian, as well as public registers, and information from other regulatory bodies. As part of our applications process, we include an authorisation for release of information – which confirms (for the purposes of the third parties we approach) applicants’ agreement to the supply of information from governmental and public bodies, financial institutions etc. To the extent the relevant information requested/supplied by these third parties constitutes personal data, we do not rely on consent as the lawful basis for processing the same. As explained above, this processing will be for the purposes of exercising our official authority and statutory functions as regulator of the gambling industry.
  • from operators at our request for the purposes of our exercise of our functions, particularly in the context of seeking to achieving our regulatory objects under the Gambling Act. This may include information about problem gamblers, for example.
  • from complainants, other regulatory bodies, witnesses and experts about persons relevant to a regulatory investigation
  • data provided by licence applicants identifying people relevant to the application who are not the applicants themselves (e.g. funders).

In each case, the information is important to the exercise of our regulatory functions; and, we will not generally notify the relevant individuals when such data is received from third parties. In certain circumstances, particularly where there is a possibility of criminal activity being identified and actioned, notification could obviously hinder this process. In other cases, the information is necessary (and failure to provide it could lead, for example, to a refused application or even an offence being committed under the Gambling Act) and/or notifying individuals would involve disproportionate effort.

Who we share personal data with

Your data may be shared with third parties who fulfil a service on our behalf, and under our express instructions. It may also be shared with other bodies where it is necessary to do so and where we are legally required or permitted to do so. This may include:

  • third party payment processors
  • relevant public authorities
  • gambling operators
  • sports governing bodies
  • other regulators
  • law enforcement agencies (including overseas).

We also share data with third parties for the purpose of vetting applicants. Such third parties include:

  • Camelot
  • Experian
  • Disclosure and Barring Service and/or Disclosure Scotland
  • Serious Fraud Office
  • Her Majesty's Revenue and Customs
  • Financial Conduct Authority.

Finally, in limited circumstances we share personal data with market research organisations for research purposes.Sharing data is primarily for the purpose of performing our regulatory functions such as assessing individuals’ suitability to be licensed, but it may also be necessary to share information for other reasons, such as the prevention and detection of crime or the collection of tax and gaming duty.

Your rights

Depending upon the information we hold about you, and the reasons for our holding it, you have various rights under the GDPR/ the Data Protection Act – as set out below. If you have any questions about this, please contact our Data Protection Officer at the address stated above.

The right to rectification

You are entitled to have relevant records/ files amended if the personal data we hold is inaccurate or incomplete. This can be done by certain individuals via their eServices account.

The right to erasure

In limited circumstances you will have the right (where the data is no longer needed for the purposes it was collected, where you have withdrawn consent and there is no other lawful basis on which we can continue to process it, you object to processing and there are no overriding legitimate grounds to continue, where the data has been unlawfully processed or where the data has to be erased for compliance with a legal obligation) to request that we erase the information we hold about you.

As most of our processing is conducted in order for us to comply with a legal obligation and/or perform a public task, this right will not be available in most circumstances.

The right to restrict processing

You have the right to seek to restrict processing of your data in the following circumstances:

  • the accuracy of the data is contested – for a period necessary to allow us to verify its accuracy
  • the processing is unlawful and you request restriction instead of erasure, or
  • we no longer need the data for the purposes it was collected, but you need it in connection with a legal claim.

The right to object processing

You have the right to object to our processing of data which is done on our predominant ground for processing – the exercise of our statutory/ regulatory functions. In this case, we will stop processing unless we can demonstrate compelling legitimate grounds for continuing the processing which override your interests.

Law enforcement processing

The Data Protection Act (2018) (opens in new tab) (implementing the LED) sets out how the rights (together with rights of access – explained below) apply in circumstances where we are prosecuting/conducting law enforcement processing. This includes the prospect of certain rights being restricted (in whole or in part) where necessary and proportionate: to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or expectation of criminal penalties; to avoid obstructing an official or legal inquiry, investigation or procedure; or to protect public security, national security, or the rights and freedoms of persons other than the data subject.

Accessing your personal data

You have the right to confirmation as to whether or not we are processing your personal data and, if access the data together with the reasons we hold it, the period it will be retained and who the information has been shared with.

Your request must be in writing. You can submit your request by post or email to

The request must include:

  • your name
  • your address/ email address for sending the information to you
  • a description of the information you wish to obtain.

To ensure confidentiality, we will need evidence which confirms your identity. A copy of photo identification, and proof of your address such as a copy of a photo driving licence or passport and a recent utility bill. Please do not send original documents.

Most requests will receive a response within one month of receipt of a valid request; those which are more complex or numerous may take up to three months.

You may not be entitled to see all the information held about you if an exemption under the GDPR/ the Data Protection Act applies, eg if it contains data mixed with other individuals’ data, if disclosure would prejudice the exercise of our regulatory functions or is subject to legal privilege. Requests which are manifestly unfounded or excessive will be refused.

Overseas transfers

Our systems are UK based. The prospect of international transfer of data will only generally arise in circumstances where we need to send information to our international gambling regulatory counterparts, sports governing bodies based overseas or to officials overseas in connection with regulatory or criminal investigations or processes.

Changes to this privacy statement

We keep this privacy statement under regular review and may change it from time to time. If we change this statement we will post the changes on this page, and place notices on other pages of our website as applicable.

Stakeholder events privacy notice

Purpose for processing

The purpose for collecting your personal data is so that we can communicate with you about our events. We may ask you for your consent for your name and email address to be shared amongst the other attendees of any event for the purposes of networking and building relationships.

What we need

If you wish to attend one of our events, you will be asked to provide your contact information including your name, the organisation you work for (if you are attending on their behalf) and, if offered a place, information about any dietary requirements or accessibility requirements you may need.

The legal basis we rely on for processing your personal data is consent under article 6(1)(a) of the General Data Protection Regulation (GDPR).

Where we have collected personal information relating to your accessibility and dietary requirements we rely on consent as the legal basis for processing this information under Article 9(2)(a) of the GDPR.

Why we need it

We will use your contact details to communicate with you about the event and also to ensure that we can accommodate your personal requirements.

What we do with it

We only use your personal data to invite you to events and keep you updated afterwards. You will receive initial invitations to events, reminder emails and, if you are allocated a place, any pre-event information. After the event, we may share a write up of the discussions and our plans for next steps.

We may ask you for your consent for your name and email address to be shared amongst the other attendees of any event for the purposes of networking and building relationships. Your personal data will not be shared with anyone else, except for the below specific events:

  • Lived Experience Events: For those who consent, we will share your details with The Health and Social Care Alliance Scotland (the ALLIANCE) for engagement in Scotland. For more information, please see their privacy policy (opens in new tab).

We will ask for your consent to email you about future events that you may be interested in.

You have no obligation to participate in events. If you do want to participate, you can opt out at any time. If you opt out, this will mean you won’t get any future correspondence about upcoming events from us. If you wish to opt out, please contact us

Where you have provided us with information about dietary and accessibility requirements we will share anonymised information with the venue.

How long we keep it

We will keep your personal data within our contacts list for 3 years from when we last contacted you, at which point we will either delete it or contact you again to regain your consent.

Information that we collect relating to your dietary and accessibility requirements will be deleted after the event.

What are your rights?

If you want to know more about your rights, please refer to the Your rights section within the Gambling Commission privacy statement.

Do we use data processors?

Yes - we use Mailchimp, SurveyMonkey and Eventbrite to send out emails on our behalf for events. For more information, please see their privacy policies:

You will be informed of any other processor/s used as part of the event you take part in.

Recruitment privacy policy

As part of any recruitment process, the organisation collects and processes personal data relating to job applicants. The organisation is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.

What information does the organisation collect?

The organisation collects a range of information about you. This includes:

  • your name, address and contact details, including email address and telephone number
  • details of your qualifications, skills, experience and employment history
  • information about your current level of remuneration, including benefit entitlements
  • whether you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process
  • information about your entitlement to work in the UK
  • equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health, and religion or belief.

The organisation collects this information from you in a variety of ways. For example, data might be contained in application forms, CVs or resumes, obtained from your passport or other identity documents, or collected through interviews or other forms of assessment, including online tests.

The organisation will also collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers and information from criminal records check providers.

The organisation will seek information from third parties only once a job offer has been made to you and will inform you that it is doing so.

Data will be stored in a range of different places, including on your application record, in HR management systems and on other IT systems (including email).

Why does the organisation process personal data?

The organisation needs to process data to take steps at your request prior to entering into a contract with you. It also needs to process your data to enter into a contract with you.

In some cases, the organisation needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check a successful applicant's eligibility to work in the UK before employment starts.

The organisation has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process.

Processing data from job applicants allows the organisation to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. The organisation may also need to process data from job applicants to respond to and defend against legal claims.

Where the organisation relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of employees or workers and has concluded that they are not. The organisation processes health information if it needs to make reasonable adjustments to the recruitment process for candidates who have a disability. This is to carry out its obligations and exercise specific rights in relation to employment.

Where the organisation processes other special categories of data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is for equal opportunities monitoring purposes.

For some roles, the organisation is obliged to seek information about criminal convictions and offences. Where the organisation seeks this information, it does so because it is necessary for it to carry out its obligations and exercise specific rights in relation to employment. The organisation has in place an appropriate policy document and safeguards which it is required under the relevant legislation to maintain when processing such data.

If your application is unsuccessful, the organisation will keep your personal data on file in case there are future employment opportunities for which you may be suited. The organisation will ask for your consent before it keeps your data for this purpose and you are free to withdraw your consent at any time by contacting HR Services by email at

Who has access to data?

Your information will be shared internally for the purposes of the recruitment exercise.

This includes members of the HR and recruitment team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles. The organisation will not share your data with third parties, unless your application for employment is successful and it makes you an offer of employment.

The organisation will then share your data with former employers to obtain references for you, employment background check providers to obtain necessary background checks and the Disclosure and Barring Service to obtain necessary criminal records checks.

The organisation will not transfer your data outside the European Economic Area.

How does the organisation protect data?

The organisation takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties. Our Information Security Policy and Data Protection Policy, which may be obtained by contacting HR Services by email at, provides more information on how we keep your data safe and secure.

For how long does the organisation keep data?

If you enter into a selection process for a specific vacancy and your application for employment is then unsuccessful, the organisation will hold your data on file for 6 months after the end of the relevant recruitment process in accordance with our Data Retention Policy.

If you agree to allow the organisation to keep your personal data on file for longer, by ticking the box at the end of this Privacy Notice, the organisation will hold your data on file for 12 months from date of application for consideration for both this role and future employment opportunities. At the end of that period or once you withdraw your consent, your data will be securely deleted or destroyed.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held will be provided to you in a new privacy notice.

Your rights

As a data subject, you have a number of rights. You can:

  • access and obtain a copy of your data on request
  • require the organisation to change incorrect or incomplete data
  • require the organisation to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing
  • object to the processing of your data where the organisation is relying on its legitimate interests as the legal ground for processing
  • ask the organisation to stop processing data for a period if data is inaccurate or there is a dispute about whether your interests override the organisation's legitimate grounds for processing data.

If you would like to exercise any of these rights, please contact HR Services by email

You can make a subject access request by completing the organisation's form for making a subject access request.

If you believe that the organisation has not complied with your data protection rights, you can complain to the Information Commissioner’s Office, the UK supervisory authority for data protection issues.

What if you do not provide personal data?

You are under no statutory or contractual obligation to provide data to the organisation during the recruitment process. However, if you do not provide the information, the organisation may not be able to process your application properly or at all.

You are under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.

Automated decision-making

Recruitment processes are not based solely on automated decision-making.

How to contact us

If you would like to contact us with any Data Protection issues then please contact us on

How to complain privacy policy

If you have any concerns about how we collect or process your data then you can write to our Data Protection Officer or refer to our complaints page. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Complaints can be submitted to the ICO through its helpline by calling 0303 123 1113. Further information about reporting concerns to the ICO is available on the ICO website (opens in new tab).

Do you need any extra help

If you would like this privacy statement in another format (eg audio, large print, braille) please contact us

Is this page useful?
Back to top