Privacy Policy - Data Protection & GDPR Compliance

Legal framework

Our data protection practices comply with UK data protection legislation

UK GDPR

We comply with the UK General Data Protection Regulation as incorporated into UK law following Brexit. This provides comprehensive protection for personal data processed in the UK.

Key principles we follow:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality
• Accountability

ICO GDPR guidance

Data Protection Act 2018

The Data Protection Act 2018 supplements UK GDPR, providing specific provisions for public interest processing and law enforcement. Our regulatory functions fall under Part 2 (General Processing) provisions.

Relevant provisions:

• Schedule 1, Part 1: Public task processing
• Section 8: Regulatory activities exemption
• Schedule 2, Part 2: Research exemptions
• Section 45: Regulatory guidance functions

View legislation

ICO Registration

BeGamblewareSlots is registered with the Information Commissioner's Office (ICO), the UK's independent data protection authority. Our registration number is ZB428749.

View our ICO registration Make complaint to ICO

What we collect and why

Personal data we collect

We collect only the personal data necessary to fulfil our regulatory functions

Contact forms and correspondence

Information you provide when contacting us

Data collected	Purpose	Legal basis	Retention
General enquiries: Name, email, phone (optional), organisation (optional), message content	Respond to enquiry, provide information about our services	Public task UK GDPR Art. 6(1)(e)	3 years
Formal complaints: Name, email, phone, organisation, complaint details, reference number, supporting evidence	Investigate and respond to complaints, maintain complaints records, escalate if necessary	Legal obligation UK GDPR Art. 6(1)(c)	7 years
FOI requests: Name, email, postal address (optional), request details	Process FOI request, respond within statutory timeframe	Legal obligation FOI Act 2000	3 years
Verification enquiries: Name, email, organisation/website, URL(s), enquiry type, details, current reference (optional)	Process assessment requests, provide compliance guidance, manage appeals	Public task UK GDPR Art. 6(1)(e)	7 years
Media enquiries: Name, email, outlet, phone, enquiry type, deadline, details, story context	Respond to media requests, provide statements, coordinate interviews	Legitimate interests UK GDPR Art. 6(1)(f)	2 years

URL assessment data

Information collected during regulatory assessment activities

Data collected:

URL addresses and domain information
Website content (screenshots, text extracts)
Operator names and licensing information
Website owner/operator contact details (where publicly available)
Assessment determinations and supporting evidence
Correspondence with website operators

Legal basis:

Public task (UK GDPR Art. 6(1)(e))

Processing necessary for performance of task carried out in public interest. Our regulatory oversight function established under Gambling Act 2005 framework.

Purpose:

• Conduct compliance assessments
• Publish public registers
• Report to Gambling Commission
• Maintain assessment records
• Process appeals

Retention period:

7 years

Retained for regulatory and legal purposes. Longer retention may apply for ongoing investigations or legal proceedings.

Website usage data

Technical information collected automatically

Essential cookies:

Required for website functionality. No consent required under PECR Regulation 6(4).

Session cookie PHPSESSID
Cookie consent cookie_consent
Retention Session / 12 months

Analytics cookies:

Help us understand website usage and improve services. Requires consent under PECR Regulation 6(1).

Analytics provider Google Analytics 4
IP anonymization Enabled
Retention 26 months

Collected data: IP address (anonymized), browser type, device type, pages visited, time on site, referral source. Legal basis: Consent (UK GDPR Art. 6(1)(a)). You can withdraw consent anytime via cookie settings.

How we share your data

We share personal data only where necessary for our regulatory functions or required by law

Gambling Commission

We share assessment findings, non-compliant URL details, and supporting evidence with the Gambling Commission for enforcement consideration.

Legal basis: Public task

Frequency: Quarterly reports

Data shared: Assessment records

GambleAware

As our parent organisation, GambleAware receives operational reports and aggregated statistics. Personal data shared only where necessary for governance oversight.

Legal basis: Public task

Frequency: Monthly

Data shared: Operational metrics

Service providers

We use trusted third-party service providers who process personal data on our behalf as data processors under written contracts.

Processors include:

• Cloud hosting providers (AWS EU regions)
• Email service providers (Microsoft 365)
• Analytics providers (Google Analytics)
• Document storage (SharePoint UK)

Legal requirements

We may disclose personal data where required by law, court order, or to comply with legal process, or where necessary to protect rights and safety.

Examples:

• Court orders or subpoenas
• Law enforcement requests
• FOI Act disclosure requirements
• Protection of legal rights

Data processor safeguards

All service providers processing personal data on our behalf are bound by written contracts requiring:

• UK GDPR compliance

• Appropriate security measures

• Confidentiality obligations

• Prohibition on unauthorized use

• Data breach notification

• Return/deletion upon termination

Your data protection rights

Your rights under UK GDPR

You have legal rights regarding your personal data. We will respond to requests within one month.

Right of access

Request copy of personal data we hold about you (Subject Access Request).

UK GDPR Article 15

Response: 30 days

Right to rectification

Request correction of inaccurate or incomplete personal data.

UK GDPR Article 16

Response: 30 days

Right to erasure

Request deletion of personal data in certain circumstances (not absolute).

UK GDPR Article 17

Response: 30 days

Right to restrict processing

Request limitation on how we use your personal data in certain situations.

UK GDPR Article 18

Response: 30 days

Right to data portability

Receive personal data in structured, machine-readable format.

UK GDPR Article 20

Response: 30 days

Right to object

Object to processing based on legitimate interests or for direct marketing.

UK GDPR Article 21

Response: 30 days

Limitations on rights

Some rights may not apply in all circumstances. We may refuse or restrict requests where:

Data is required for regulatory functions (DPA 2018 Schedule 2, Part 2)

Legal retention requirements apply (7-year regulatory records)

Data necessary for legal claims or proceedings

Request manifestly unfounded or excessive

We will explain any refusal and inform you of your right to complain to the ICO.

How to exercise your rights

Contact our Data Protection Officer:

Name

Catherine Edwards

Email

[email protected]

Postal address

Data Protection Officer
BeGamblewareSlots
Pennine Place, 2a Charing Cross Road
London WC2H 0HF

What to include in your request:

Full name and contact details

Which right you wish to exercise

Details of the personal data concerned

Proof of identity (copy of passport/driving licence)

Reason for request (if objecting or requesting erasure)

Identity verification: We may request additional information to verify your identity before processing requests. This protects against fraudulent requests.

Data security

We implement appropriate technical and organisational measures to protect personal data

Encryption

• TLS 1.3 for data in transit
• AES-256 encryption at rest
• Encrypted email communications
• Encrypted database storage

Access controls

• Role-based access (RBAC)
• Multi-factor authentication
• Regular access reviews
• Principle of least privilege

Infrastructure

• UK data centre locations
• ISO 27001 certified providers
• Regular security audits
• Disaster recovery procedures

Staff training and policies

Mandatory data protection training for all staff

Confidentiality agreements and policies

Regular security awareness updates

Clear desk and screen policies

Secure disposal of physical records

Data breach procedures

In the event of a personal data breach, we follow documented procedures:

1

Immediate containment and investigation

2

Risk assessment and documentation

3

ICO notification within 72 hours (if required)

4

Affected individuals notified without undue delay

5

Remediation and preventative measures

International data transfers

Data remains in UK/EEA

All personal data is stored and processed within the United Kingdom and European Economic Area. We do not transfer personal data to countries outside the UK/EEA.

Service provider locations:

Primary hosting AWS EU-West-2 (London)

Email services Microsoft 365 (UK data centres)

Document storage SharePoint UK

Backup storage AWS EU-West-1 (Ireland)

Google Analytics: While Google LLC is US-based, we use IP anonymization and have configured data retention to UK/EU servers only. This complies with UK GDPR Article 46 safeguards.

Data retention periods

We retain personal data only as long as necessary for the purposes collected

Data category	Retention period	Legal basis for retention	Disposal method
URL assessment records Assessment data, determinations, evidence, correspondence	7 years from assessment date	Regulatory requirements, potential legal proceedings, audit trail	Secure deletion, documented destruction
Formal complaints Complaint details, investigation records, outcomes	7 years from resolution	Limitation Act 1980 (6 years), plus 1 year for administrative purposes	Secure deletion, documented destruction
FOI requests Request details, responses, correspondence	3 years from response	FOI Act 2000 record-keeping requirements, ICO guidance	Secure deletion
General enquiries Contact form submissions, email correspondence	3 years from last contact	Operational record-keeping, service improvement	Secure deletion
Website analytics Anonymized usage data, IP addresses (hashed)	26 months	Google Analytics default, ICO guidance on analytics retention	Automatic deletion by processor
Media enquiries Press contacts, interview records, statements	2 years from last contact	Operational purposes, ongoing media relations	Secure deletion
Staff records Employment data, training records, access logs	6 years after employment ends	Employment law, tax requirements (HMRC 6-year rule)	Secure shredding, secure deletion

Extended retention: Personal data may be retained beyond stated periods where required for ongoing legal proceedings, regulatory investigations, or where we have a legal obligation to retain data. You will be informed if extended retention applies to your data.

Changes to this privacy policy

We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or service offerings. We will notify you of significant changes through:

Website notification

Prominent banner on homepage

Email notification

To active correspondents

30-day notice

Before changes take effect

Version history:

Version 2.1 (Current) 15 January 2025

Version 2.0 01 November 2024

Version 1.0 01 September 2024

We recommend reviewing this privacy policy periodically. Continued use of our services after changes constitutes acceptance of updated terms.

Contact our Data Protection Officer

Questions about your personal data or how we process it? Contact our DPO.

Data Protection Officer

Name

Catherine Edwards

Email

[email protected]

Postal address

Data Protection Officer
BeGamblewareSlots
Pennine Place, 2a Charing Cross Road
London WC2H 0HF
United Kingdom

Response time

Within 30 days of receipt

Make complaint to ICO

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office.

ICO website

ico.org.uk

ICO helpline

0303 123 1113

ICO postal address

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF

Make complaint to ICO