What we do and who we are
We run GAMSTOP, a free self-exclusion service to help UK residents avoid online gambling.
We are The National Online Self Exclusion Scheme Limited (you may also see or hear us being referred to as NOSES or GAMSTOP). We are a limited liability company registered in England and Wales. Our company number is 10504973.
To contact us about our use of your personal data please use the details set out below.
Our Purposes and our Lawful Basis for Using Personal Data
If you register for GAMSTOP, you will provide personal data to us when you use the GAMSTOP service. For example, you will provide personal data to us when you initially register for self-exclusion or when you contact our Contact Centre. Third parties also provide us with personal data and more information about that is set out below.
Under data protection legislation we must have at least one lawful basis for each use of personal data. An explanation of our reasons for using your personal data and the lawful bases we rely on to do so is set out below.
If you register for GAMSTOP, you will not be able to de-active your self-exclusion until the end of your selected minimum exclusion period. Consequently, we do not rely on consent (which may be withdrawn) as our lawful basis to use personal data to administer self-exclusion.
However, we do rely on your consent to verify your identity via automatic facial recognition technology provided by Onfido.
We also rely on your consent to use personal data for research purposes. In order to improve the GAMSTOP service, we collaborate with selected third party independent researchers. We will only ever share your personal data with an independent researcher where we have your consent. The results of the research will be shared with us. You may withdraw your consent for your personal data to be used for research purposes at any time.
If you consent to speak to an independent researcher, we will provide you with updated details about the research where appropriate.
Necessary for a contract
All gambling operators licensed by the Gambling Commission send us personal data relating to their customers on a daily basis and at any time one of their customers attempts to log in or tries to register for an account. We use this personal data to check whether or not gambling operators’ customers are self-excluded with GAMSTOP. Where gambling operators’ customers are self-excluded with GAMSTOP, our legal ground for using personal data is necessary for the performance of a contract (please see above). Where a customer is not self-excluded with GAMSTOP, our legal ground for processing the customer’s personal data is legitimate interests. The legitimate interests include the provision and proper functioning of the GAMSTOP service and the regulatory obligations of the individual gambling operators.
Occasionally, we also need to use personal data relating to people who have not registered for GAMSTOP and are not customers of gambling operators (for example, third-party complaints, interactions with friends or family members of registered consumers, or interactions with people on a professional basis). In these situations, our use of personal data is based on our legitimate interests. Our legitimate interest is the provision of the GAMSTOP service. We will not use personal data for the purposes of GAMSTOP on the basis of our legitimate interests where your interests, rights or freedoms override the interest in providing the GAMSTOP service.
We will not use any personal data on the basis of legitimate interests where an individual’s interests, rights or freedoms override those legitimate interests.
Importantly, where we rely on the legitimate interests basis you have the right to object to our use of your personal data. You can object by contacting us at email@example.com.
Special category personal data
Special category personal data includes information such as an individual's sexual orientation, health data, religion, race and trade union membership.
We use facial recognition technology provided by Onfido for identity verification purposes. This technology uses biometric data (a face scan) to verify an individual's identity against their official ID documents (such as a driving licence or passport). When biometric data is used to identify an individual, it is special category personal data. We will only use biometric data to identify you with your explicit consent.
We do not otherwise generally collect and use any special categories of personal data for the purposes of providing the GAMSTOP service. However, we recognise in some situations we may be provided with and need to use information relating to an individual's mental health. Information relating to an individual's mental health is special category personal data. We will only use information about mental health or other special category personal data where you have provided explicit consent, or it is necessary for our contract with you or a legitimate interest and one of the following applies: you have made the information public, the situation is an emergency or there is a substantial public interest in using your personal data that is based on the law.
Separately from our contract with you and the provision of the GAMSTOP service, we will also use your information when we are required to do so by law. Where that is the case, our lawful basis is processing necessary for us to comply with a legal obligation that we are under.
Consequences of not Providing Personal Data we ask you to Provide
In order to register for self-exclusion it is mandatory to provide us with the following personal data, which is necessary for us to administer self-exclusion:
- Full name and title.
- Date of birth.
- Mobile number, together with any other mobile number you would like to form part of your self-exclusion.
- Primary email address, together with any other email address which you would like to form part of your self-exclusion.
- Home address (including post code), together with any other address which you would like to form part of your self-exclusion.
You will also be required to verify your identity. We use one of two identity verification providers. TransUnion provides us with a series of questions only you should know the answer to. If you answer enough of the questions correctly we will verify your identity. If you are not able complete the TransUnion process and you consent to the use of facial recognition technology, we will use Onfido to verify your identity. To complete the Onfido process we will need a photo of you and an official photographic ID document.
In some cases, it may not be possible for TransUnion or Onfido to verify you. We will let you know if that is the case and may require you to provide official ID documents to our Contact Centre before you can use the GAMSTOP service.
If you do not provide any of the above information when required, you will not be able to register for self-exclusion. If the personal data you provide to us is incorrect or incomplete, the GAMSTOP service may not operate effectively.
In addition, we use an email confirmation system. We collect information about when and on what device our confirmation emails have been read.
Personal Data Received About you and Where This Comes From
Most of the personal data we use to provide the GAMSTOP service is provided by you at registration.
We record calls to our Contact Centre for training, accuracy and performance monitoring purposes. You will receive a message informing you that calls are recorded at the beginning of the call.
As part of the registration process, TransUnion and Onfido (our verification partners) will verify your identity. TransUnion provides us with a series of questions and we will inform you whether or not you have answered enough of the questions correctly to verify your identity. TransUnion's privacy notice explains in more detail how TransUnion uses your personal data for the verification process. Onfido uses facial recognition technology to compare a photo of you with the photo of you on an official ID document.
All operators participating in the GAMSTOP service are required to check if their customers have self-excluded with GAMSTOP. Operators undertake checks on a daily basis and each time a customer logs in or tries to register for an account. To undertake these checks, operators send their customer's data to our matching service, which checks this information with the personal data we hold about people who have self-excluded. The data is hashed for security and we only store this information as long as necessary to perform the check and let the operator know if there is a match.
In addition to these checks, operators may provide us with details about attempts to login into online accounts that did not match with the information we hold and other information that may be relevant to our provision of the GAMSTOP service.
A full list of the gambling operators that participate in the GAMSTOP scheme is available here. We strongly recommend that you review the privacy policies of any gambling operators you use to access online gambling services.
We may receive information from a gambling operator, individual or other source that indicates that an individual has been incorrectly matched as being self-excluded, when, in fact, they did not register for self-exclusion on GAMSTOP. In these situations we may store certain personal data about that individual in order to build safeguards into our system and prevent that individual being incorrectly prevented from accessing online gambling operators' sites in future. We will store the minimum amount of personal data necessary to achieve this aim and will only retain such personal data for so long as it is needed.
Who do we Share Personal Data With?
We work with a number of service providers to provide the GAMSTOP service. We share personal data with the following service providers where necessary for the purposes of providing the GAMSTOP service:
- The Data Shed (IT, development and software delivery services).
- SendInBlue (email services).
- AWS (cloud services).
- TransUnion (identity verification services).
- Onfido (identity verification services).
- Fetchify (address lookup services).
- Connect Assist (consumer services).
- Zendesk (case management system).
- Microsoft (software).
- Nexus IT (IT support).
- Citrix (secure information sharing).
We have contracts in place with all service providers that strictly govern how they use the personal data we disclose to them.
We disclose personal data to gambling operators. When operators use our matching service (as described above) we will let them know if the data they provide for someone attempting to use their service matches the identity of someone registered as self-excluded on our service (by a yes/no response). We also inform gambling operators if the data they provide matches the identity of someone who was registered as self-excluded with GAMSTOP at any point in the previous 7 years.
We may also need to disclose your personal data to operators in order to resolve a query from you or for the purposes of an operator’s responsible gambling obligations.
We may disclose personal data to the Gambling Commission where doing so is necessary for the provision and proper operation of the GAMSTOP service or where doing so is necessary for the Gambling Commission’s regulatory functions.
If you have given us your specific consent, we will share your personal data with selected independent researchers in order to improve the GAMSTOP service.
If you have given us your specific consent, we will share your personal data with GamCare, who operate the National Gambling HelpLine.
Legal rights and obligations
We may occasionally be required by law, court order or governmental authority to disclose certain types of personal data. We may also need to disclose your personal data as part of the establishment, exercise or defence of legal claims.
Transferring Your Personal Data Outside the UK or EEA
Generally, we only store and use your personal data within the UK and European Economic Area (EEA) countries.
If a gambling operator which you use (or try to use) is located outside the UK or EEA and they submit your personal data to our matching service, we will let them know if you are, or were, self-excluded. We have in place standard contractual clauses approved by the European Commission to protect your personal data where we transfer it to gambling operators outside the EEA.
Some service providers acting on our behalf may transfer personal data to outside the UK or EEA. We have in place standard contractual clauses approved by the European Commission to protect your personal data where it is transferred to the USA or elsewhere outside the UK or EEA.
How Long we Keep Your Personal Data
If you have registered for a period of self-exclusion, we will keep your personal data for the duration of your selected minimum exclusion period (plus any extensions to this which you apply) plus an additional 7 years from the date your last selected minimum exclusion period ended (during which time if a gambling operator checks your details using our matching service, the operator will be informed that you were previously self-excluded).
After the end of the additional 7-year period, your personal data will be archived for a further 7 years (during which time, if a gambling operator checks your details using our matching service, the operator will not be informed that you are or were previously self-excluded). It will then be deleted.
If you attempt to register for a period of self-exclusion but are unsuccessful, we will keep your registration personal data for 30 days – unless it is added to our case management system, in which case it will be stored for up to 7 years.
If you provide any ID documents to our Contact Centre, we will keep them for up to 30 days – unless they are added to our case management system, in which case they will be stored for up to 7 years.
Any correspondence or customer records that are stored on our case management system are stored for up to 7 years.
If you have called the Contact Centre we will keep a recording of that call for up to 3 months.
If you consented to us sharing your first name and telephone number with GamCare, we will store the information we share with GamCare for up to 30 days.
If you are the customer of gambling operator whose personal data is shared with us but not registered for a period of self-exclusion, your personal data is deleted as soon it fails to match with any self-excluded or previously self-excluded individuals.
If you consent to the use of facial recognition technology, we will keep a copy of your photo and official ID for 7 years after the date you were verified. However, we do not keep a record of your biometric data (facial measurements).
Automated Decision Making
Our matching service is automated, save for the limited circumstances where human intervention is required as described below. It is necessary that this process is automated in order to provide the GAMSTOP service. Due to the volume of the data which needs to be processed, it would be impractical and time consuming to manually check all gambling operators' records against our self-exclusion database.
Our matching service works by us storing your registration data on our database. The operator asks for the same information from users registering for their sites and sends this data to our matching services. If the two sets of information match we return a positive result and the operator will prevent that user logging in or registering with them. If the two sets of information match because you were previously self-excluded and we still hold your personal data, we will inform the operator that you were previously self-excluded, but you are not now. In this situation, it is for operators to decide whether to allow access to their services.
We have safeguards in place which involve human intervention. If you think you have been incorrectly matched and treated as self-excluded or previously self-excluded, you can call our Contact Centre. Our staff undertake a thorough investigation of any concerns you raise about our automated matching service.
The consequence of our automated matching service is that you may be prevented from accessing gambling websites and/or apps run by gambling operators licensed by the Gambling Commission when you are not self-excluded or you may not be prevented from accessing gambling websites and/or apps run by gambling operators licensed by the Gambling Commission when you are self-excluded.
We use automated processes to verify your identity. The consequences of our automated verification processes are that if your identity is verified you will be provided access to the GAMSTOP service where you may be prevented from accessing gambling websites and/or apps. If you are not verified, you will not be provided access to the GAMSTOP service and may be able to access gambling websites and/or apps.
If you think we have failed to verify you correctly, you can call our Contact Centre. Our staff undertake a thorough investigation of any concerns you raise about our automated verification processes.
We are committed to protecting the security of your personal data. We use a variety of security technologies and procedures to help protect your personal data from unauthorised access, use, or disclosure.
For example, we transfer personal data to our verification services provider via a secure API link and personal data within our matching service is hashed. We also ensure that our service providers who will have access to your personal data take appropriate security measures to protect your personal data.
In respect of your personal data you have the following rights to:
- Access to a copy of the information comprised in your personal data.
- Data portability.
- Check our automated decision-making relating to you.
- Object where we rely on legitimate interest to use your personal data.
- Withdraw your consent at any time, where our processing is based on consent.
- Ask us not to process your personal data for direct marketing purposes.
- Have inaccurate personal data rectified.
- Restrict processing of your personal data.
If you contact us in relation to your rights we will do our best to accommodate your request or objection. Please note, however, that these rights are not absolute. There may be some situations in which you cannot exercise them or they are not relevant.
If you request to exercise your rights, we may need to take steps to verify your identity.
You can find out more about your rights at the Information Commissioner's Office website.
Who can you Complain to if you are not Happy About how we use Your Personal Data
If you have any concerns about how we use your personal data, we ask that you contact us in the first instance using the contact details below. We'll do our best to resolve the matter.
However, you do also have the right to lodge a complaint to the Information Commissioner's Office at any time.
Help us Keep Your Details up to Date
You must make sure that your consumer account is up to date with your latest personal data. This is important for your self-exclusion to remain effective. Please login to your account or contact our Contact Centre immediately if any of your personal data is out of date.
GAMSTOP may contain links to other websites. We are not responsible for the content, security, practices or privacy policies employed by other websites. We encourage you to carefully review these sites' privacy policies so that you know how they will collect, use, and share your information.
How to Contact us
If you have questions regarding this policy or our handling of your personal data, please contact our Data Protection Officer at firstname.lastname@example.org.