Privacy Notice

The GSC relies on a number of statutory instruments to process your data. These can be found in the Legislation section of this website. For the purposes of this privacy notice, they will be collectively referred to as the “Gambling Acts”

This legislation is supplemented through relevant guidelines or advice issued to the sector, which can be found in the “Application forms and guidance notes section” of this website.

We generally collect the following types of personal data for the work we do:

1. Identifying: such as name, date and place of birth, nationality and other unique identifiers such as government-issued identification and national insurance number
2. Contact: such as telephone number, email address, physical addresses
3. Professional: such as education and employment history including schools and places of higher education attended, relevant qualifications, details of current and previous employment, and academic and employment references
4. Financial: such as a person’s financial situation, solvency and any past declarations of bankruptcy
5. Legal: such as being subject to current or past litigation, or being subject to successful investigation by a governmental, professional or other regulatory body
6. Criminal activity: such as convictions and charges

Under almost all circumstances, we do not collect personal data relating to special categories such as children, race, ethnicity, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health, sex life or sexual orientation.

If we find that we hold personal data of this nature, we will take appropriate steps to delete that data and prevent it from being acquired in future.

Data we collect about legal entities, such as companies, in the course of exercising our statutory functions is restricted information as defined by Schedule 2 of the Gambling Supervision Act 2010, but is not personal data as it does not relate to an individual.

The GSC is responsible for the licensing and regulation of land-based gambling operations (casino, amusement and slot machines, betting offices and lotteries), as well as the regulation of all online gambling activities on the Isle of Man.

The GSC’s regulatory objectives, set out in Section 5 of the Gambling Supervision Act 2010, are to:-

• Ensure that gambling is conducted in a fair and open way
• Protect children and other vulnerable persons form being harmed or exploited by gambling
• Prevent gambling from being a source of crime, to be associated with crime or disorder and or used to support crime

Our collection of personal data for licensing purposes may be used to:

• Carry our suitability checks to comply with our statutory functions
• Inform our regulatory work in accordance with these objectives – including investigations and enforcement
• Assist other regulators or law enforcement agencies
• Check our level of service and to help us improve things where we can
• Conduct research/ collate statistics for publication and/or for the purposes of formulation of policy. Although, in this case, the persons’ data will not identify individuals (in other words, it will be anonymised).

Vetting of individuals

When considering an application for a company to become a licence holder we also need to know about the individuals who will be involved in the control or management of licence holders (“approved roles”).

Individuals holding an approved role require approval by the Commission before a decision to approve the application and issue the licence can be made.

We therefore request personal information from holders of approved roles so that we can carry out our due diligence checks and assess their integrity, competence, and solvency as required by the relevant Gambling Act. For the purpose of this notice, these checks are referred to as suitability checks.  

In some cases we may obtain enhanced due diligence reports and conduct on-going monitoring of politically exposed people (PEP) data, sanctions, adverse media coverage and law enforcement data to assist us in or obligations to prevent money laundering, terrorist financing and financial crime.

Failure to provide the information requested constitutes an offence under the Gambling Acts and will lead to the application being refused.

An individual not meeting the suitability checks, may not hold a position that requires approval by the Commission.

After the application is determined, the Commission will retain a copy of the personal declaration form you completed and any supporting documents you provide.   

For further information on the reason for carrying out these checks, please refer to the relevant “Integrity Control Guidance” on the “Application forms and guidance notes” section on our website.

Successful applicants will be subject to ongoing obligations in respect of fit and proper checks in accordance with the relevant Gambling Act.

We also collect personal data about individuals with whom we interact with on a regular basis to meet our operational needs, such as those who provide us with goods and services or contact us by email to ask a question.

Vetting of corporate licence applications

After the application is determined, the Commission will retain a copy of the application form and any supporting documents you provide

It is also vital, that care is taken to ensure that individuals provide us with accurate personal data, including in the period between the submission of the application and the date of the decision. Subsequent reviews that highlight inaccurate information may lead to the possibility that the licence subsequently issued may be reviewed and potentially revoked.

In accordance with our statutory functions and powers, we will share your personal data with third parties to help us (or them) to exercise our (or their) functions appropriately.

We will share the minimum amount of personal data needed to carry out our suitability checks in order to perform our regulatory functions.

We will share with and obtain personal data from third parties in the following ways (and for the following reasons): from complainants, other regulatory bodies, witnesses and experts about persons relevant to a regulatory investigation. This may include parties such as:

• Relevant public authorities
• Gambling regulatory authorities
• Sports betting integrity units
• Other regulators
• Technology providers
• Law enforcement agencies (including overseas)
• Expert contractors we instruct 

We will also share with and obtain personal data the following third parties, for carrying out our suitability checks:

• Disclosure and Barring Service
• Isle of Man Treasury Customs, & Excise Division
• Financial Intelligence Unit
• Financial Services Authority
• Lexis Nexis - Accuity World Compliance
• Accuris Risk Intelligence KYC6
• Refinitiv World-Check

Any personal data we share in this way is shared in accordance with relevant legislation and is limited to the type and amount of data we believe necessary in order to achieve our objectives.

It may also be necessary to share information for other reasons, such as obligations in relation to:

• the prevention and detection of crime;
• the collection of tax and gaming duty
• the Proceeds of Crime Act 2008; and
• the Anti-Money Laundering Legislation and codes of practice.

We will only process your personal information if there is a lawful basis for us to do so as set out in Article 6 of the applied GDPR.

As a regulatory body, most of the personal data that we collect and process is data relating to our regulatory functions and responsibilities. Therefore, for the most part, when we are processing personal data we would be reliant upon Article 6(1)(e), namely that it will be on the basis that it is necessary for us to perform a task in the public interest or for our official functions which have a clear basis in law.

 We may also process personal data based on one of the following legal bases:

• Article 6(1)(b), namely that the processing is necessary for a contract we have with the individual or their organisation, or because they have asked us to take specific steps before entering into a contract
• Article 6(1)(c) – namely that the processing is necessary for us to comply with the law

We may on occasion, use personal data processed during the course of our regulatory objectives to conduct investigations (and deciding outcomes) into the activities of licence holders and the individuals who control or manage them. This will be specifically in relation to the activities relating to the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal or civil penalties as set out in any of the Gambling Acts.

Personal data processed in this way will be accordance with the law and will be limited to the type and amount of data we believe necessary in order to achieve our objectives. We will also comply with our responsibilities in relation to international transfers

The GSC is designated as a competent authority under Schedule 1 of the GDPR and LED Implementing Regulations 2018. We may share your personal data with other public authorities or law enforcement agencies to help us (or them) to exercise our (or their) functions appropriately, but only where it is lawful and proportionate to do so.

This information may also be relevant to our wider regulatory objectives and statutory functions. We may, for example, derive information from our investigations which help us improve our understanding of the gambling market and assessment of the risks it faces (and potential risks to consumers as a result), and to seek continuous improvements in the market and our regulation of it.

The GSC may also record adverse information obtained during the course of fulfilling its regulatory objectives, in relation to the activities of licence holders and the individuals who control or manage them, in order to safeguard the reputation of the Isle of Man and the international character of gambling, and specifically to preventing gambling from being a source of crime or disorder, associated with crime or disorder, or used to support crime.

We may also act as a prosecutor in relation to certain gambling offences. In this case, the relevant provisions of the Law Enforcement Directive as applied to the Isle of Man, will be engaged. Personal data obtained for law enforcement purposes is protected under Isle of Man data protection legislation and an individual's rights in relation to such personal data are more limited to reflect the fact that the data subject is subject to law enforcement proceedings.

As part of the Gambling Supervision Commission’s regulatory responsibilities, it will publish consultations on various topics, seeking the views of the industry, companies, parliamentarians, researchers and the public.

Purpose and legal basis

We will process your personal data for the purpose of informing the development of our policy, guidance and other regulatory work in the subject area of the consultation. If contact details are provided, we may use these to monitor responses or contact you in relation to the consultation.

We may publish a summary of the consultation responses, but these will not contain any personal data. We may decide to publish your name (and on whose behalf you have responded) to indicate that you have responded to this consultation, we will only ever do this with your consent.

The lawful basis we are relying on to process your personal data is article 6(1)(e) of the applied GDPR, which allows us to process personal data when this is necessary for the performance of our public tasks in our capacity as a regulator.

Do we use any data processors?

If we are using a third party as part of a consultation you will be informed of this and provided with any additional information that may be required as per data protection requirements.

Cookies are small text files containing a string of characters that can be placed on your phone, tablet or computer that uniquely identify your browser or device.

Cookies tell us if your phone, tablet or computer has visited the site before. They help us understand how the site is being used, help you navigate between pages efficiently, help remember your preferences, and generally improve your browsing experience.

Any changes to how your cookie data is processed will be promptly reflected in this policy and will immediately apply to you and your data. If these changes affect how your data is processed, the Gambling Commission will take reasonable steps to let you know.

Cookies cannot be used to identify you personally. These pieces of information are used to improve services for you through, for example:

• enabling a service to recognise your device so you don’t have to give the same information several times during one task
• recognising that you may already have given a username and password so you don’t need to do it for every web page requested
• measuring how many people are using services, so they can be made easier to use and there’s enough capacity to ensure they are fast.

Isle of Man Freedom of Information Act 2015 ('FOIA')

The Freedom of Information Act 2015 (FOIA) gives Isle of Man residents a legally enforceable right to obtain access to information held by a Public Authority. This is subject to certain exemptions and practical refusal reasons.

You can find out more information on the FOIA including how to make a request to us here: Isle of Man Government - Freedom of Information and you can also use this link to view previous requests and their responses.

We are the controller for the personal data you provide to us when making a FOI request to the Gambling Supervision Commission. 

Legal basis for processing your information

We need your personal information (such as your name and contact details) to process and respond to you about your FOI request. In some cases, we may ask for proof of identification, and proof of residency, so that we can comply with the FOIA.

We must have a legal basis (a lawful reason) to process your personal data, which is submitted by you when you make a FOI request. The legal basis for processing your information when you make a request is that it is necessary for us to comply with the law (FOIA), or that it is necessary for us to perform a public task in the public interest. This is set out in Articles 6(1)(c) and (e) of the Schedule to the Data Protection (Application of GDPR) Order 2018 – this legislation is sometimes called 'the Applied GDPR').

Sharing information

FOI requests have to be submitted on a form prescribed by the Chief Executive Officer (Isle of Man Government) in order to be valid and accepted under the FOIA. You can either submit a request using the form online or a paper version, which is available by contacting our Data Protection Officer (see below for contact details).

When we process FOI requests made using the Online Services Portal on the Isle of Man Government website, a system called iCasework is used to process your request. The iCasework system is provided by a company called Civica UK Limited. This system stores information such as: 

• Your name
• Your address
• Your telephone and email address
• Your company name, if you are requesting information on behalf of an organisation
• Your request – we do not recommend putting any personal information into your request, if you are not sure what to include in your request, please contact us on dhaicaseworkfoi@gov.im for assistance.
• If requested proof of residency from you 

Civica UK Limited act as a Processor on behalf of all the Public Authorities. Civica UK Limited use the information held in the iCasework system for the purpose of providing a system to manage FOI requests and to transfer this information to the relevant public authority. The information you provide to Civica UK Limited will be kept secure and confidential. 

Access to your information is limited to authorised staff members within our Department. The Department of Home Affairs (DHA), through the Office of Cyber Security & Information Assurance (OCSIA), has been contracted by the Public Authorities to manage system administration on their behalf. 

If you are unhappy with the response to your Freedom of Information request

If you are dissatisfied with the response to your request for information, or the way your request was handled, you have the right to request the public authority to undertake a review.

If you are still unhappy following the review, you can complain about your request to the Information Commissioner’s Office. In this case the Public Authority to whom you have submitted your request will need to share information, such as emails we have sent or received from you with them so that the Information Commissioner can investigate the complaint. 

Storing your information

Your personal information will be held in iCasework for 12 months after the Public Authority has closed your request, or if you requested a review of your request, your personal information will be held in iCasework for 36 months after the Public Authority has closed your request.

After this time, the request will remain on the iCasework system, but all your personal information you provided at the time of the request will be deleted. 

Your rights

The Applied GDPR (data protection legislation) provides you as a data subject with some rights to be informed of the processing of your personal data, including the right to access that data and information about the purposes for processing. 

This includes a right to correct (rectify) any information a public authority holds, or to restrict it in certain circumstances. 

As the public authority is processing your data in order to comply with its legal obligations, certain of the data protection rights do not apply, including the right to have your data deleted (erasure), transferred to another provider, the right to object to the processing, and be informed about automated decision making.  When using the iCasework site or dealing with FOI requests, a Public Authority does not make automated decisions or profile your data. 

Data Protection Officer

If you have any questions about how we process your personal information, you can speak to our Data Protection Officer regarding your rights.

Email: DPO-GSC@gov.im

Phone: +44 1624 694322

In writing to:

Details of rights under the data protection legislation can be found in our general privacy notice.

The table below provides examples of other ways in which we may collect and process personal data:

The security and confidentiality of your information is very important to us. We will ensure that safeguards are in place to:

• Keep sufficient information to provide services and fulfil our legal responsibilities.
• Keep your records secure and accurate and only permit authorised staff to view your information.
• Only keep information as long as it is required.

To help keep your information secure, the GSC as a Public Authority, relies on the services of Government Technology Services Division (GTS) of the Cabinet Office, to provide technical measures to safeguard that:

• Make sure personal information is kept securely.
• Maintain security of the systems which hold personal information in line with ISO27001 standard - the ISO standard on information security and hold cyber essentials.
• Comply with the requirements of the PCI Security Standards Council.

Emails - Email communications are stored on our Isle of Man Government email system, Microsoft Outlook We encrypt and protect all our emails in line with government standards. If your email service does not support this encryption, you should be aware that any emails we send or receive may not be protected in transit. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

Microsoft Dynamics CRM – The GSC use CRM to hold personal and business information relevant to our licence holders. Only certain members of staff will have access to your personal information on CRM and there is security in place to ensure this.

The administration of CRM is undertaken by Government Technology Services in the Cabinet Office; however, they are unable to access the content of any records and so will not be able to access your personal information.

Isle of Man Government Secure Network – There are strict access controls in place meaning that only those within the GSC can access information stored in folders on our network; in addition, only the teams within the Divisions who are able to access personal information, are those that have a business need to do so.

The administration of the IOMG Secure Network is undertaken by Government Technology Services in the Cabinet Office; however, they are unable to access the content of any records and so will not be able to access your personal information

Manual records - We do not routinely store manual records, however, those that are already in storage and a new records we are required to hold any manually are either stored on site or in a third-party storage facility with whom we have a data protection agreements in place.

We will only keep your information for the minimum time necessary, with exceptions of when longer retention can be justified for statutory, regulatory, legal or security reasons, or for their historical value.

Generally, we retain personal information for six years after the expiry of the licence an individual is associated with.

Retention periods are periodically reviewed and changes will be published on this privacy notice. As a Public Authority the GSC is subject of the provisions of the Public Records Act 1999 and as such data may be selected for more significant terms of retention. Depending upon the information we hold about you, and the reasons for our holding it, you have various rights under the applied GDPR.

For further details about retention periods, or to see the GSC’s Retention and Destruction Schedule, please contact our Data Protection Officer at DPO-GSC@gov.im.

Articles 12 to 22 of the Applied GDPR, set out the rights you have as a data subject. This privacy notice covers Articles 13 & 14. Other rights you have are set out below:

Your right of access

You have the right to ask us for copies of your personal information.

Your right to rectification

You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances. For example:

• where the data is no longer needed for the purposes it was collected
• you object to processing and there are no overriding legitimate grounds to continue
• where the data has been unlawfully processed or where the data has to be erased for compliance with a legal obligation

Your right to restriction of processing

- You have the right to ask us to restrict the processing of your personal information in certain circumstances. For example:

• the accuracy of the data is contested – for a period necessary to allow us to verify its accuracy
• the processing is unlawful and you request restriction instead of erasure, or
• we no longer need the data for the purposes it was collected, but you need it in connection with a legal claim.

Your right to object to processing

You have the right to object to the processing of your personal information in certain circumstances. In this case, we will stop processing unless we can demonstrate compelling legitimate grounds for continuing the processing, which override your interests.

As most of our processing is conducted in order for us to comply with a legal obligation and/or perform a public task, this right will not be available in most circumstances.

Your right to data portability

You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

These rights are subject to the restrictions set out in Article 23.

You have a right of access to your personal data and to check the accuracy of that data by making a Subject Access Request.

A subject access request is made by filling in our Subject Access Request Form, or by contacting the DPO-GSC@gov.im.

We have a guidance sheet that gives you details on the process.

If you have any questions about how we process your personal information, you can speak to our Data Protection Officer regarding your rights.

Email: DPO-GSC@gov.im

Phone: +44 1624 694322

In writing to:

If you have any concerns about how we collect or process your data, you can write to our Data Protection Officer using the address above or by email to DPO-GSC@gov.im.

You also have the right to request the Isle of Man’s Information Commissionerto undertake an assessment as to whether the processing of your personal data has been carried out in accordance with the provisions of the Isle of Man Data Protection Legislation.

Further information regarding complaints to the ICO can be obtained through its website or by calling +44 1624 693260.

This Privacy Notice may be replaced, or more information added. If any significant change is made to this Privacy Notice we will provide a prominent notice on this website so that you can review the updated Privacy Notice.