Slot Boss Privacy Policy

Last updated 27th March 2020 - Version 1.2.

INTRODUCTION

Welcome to LeoVegas Gaming PLC's Privacy Policy relating to provision of the services provided via www.slotboss.co.uk and/or any related software applications (Website).

LeoVegas Gaming PLC (LeoVegas) respects your privacy and is committed to protecting your Personal Data and processing it in compliance with applicable laws, notably:

  • The Maltese Data Protection Act (Chapter 586 of the Laws of Malta) as well as the various subsidiary legislation issued under the same (the DPA); and
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR).

This Privacy Policy will inform You as to how We look after Your Personal Data when You visit our Website and/or use Our services.

Although Our goal is to always be as clear and transparent as possible, We appreciate that legal documents can sometimes be difficult to read. Please do not hold back from contacting Us for any clarification You may need. For example, if You need clarification on a specific legal basis that We are relying on to process Your Personal Data for a specific processing operation, We would be happy to provide You with any such information You may need.

•This Privacy Policy is provided in a layered format, so You can click through to the specific areas set out below. In summary of this Privacy Policy, We think that this information is the most relevant for You:
Purpose of processing: We process Your Personal Data for the purpose of providing You with the services, to allow You to access the Website, to comply with Our legal obligations such as anti-money laundering and safer gambling, to detect and prevent fraud and to commercially grow Our business (e.g. direct marketing);
Controller: When processing Your Personal Data, LeoVegas acts as a controller;
Your rights: You have a number of rights afforded by applicable laws, especially a right to object to processing that is based on Our legitimate interest such as direct marketing of Our own goods and services, segmentation, loyalty programme and risk management;

When we process Your Personal Data on the basis of Your consent, You can withdraw it at any time. Also, You have a right to receive an access to all of the Personal Data that is undergoing processing and a right to erasure of the Personal Data that is no longer necessary;
Implications of processing: Processing of Personal Data will result in the provision of services (or deny thereof if certain data is not provided), receiving marketing communication, segmentation with respect to risk categories or bonuses and similar offers.

We recommend that you read this Privacy Policy in full.

For the ease of your orientation, these are the contents of this Privacy Policy:

  1. IMPORTANT INFORMATION AND WHO WE ARE

• Purpose of this Privacy Policy
• Controller
• Contact details
• Changes to the Privacy Policy

  1. THE DATA WE COLLECT ABOUT YOU

• Personal Data
• Data Obtained from You
• Data obtained from other sources
• Special categories of Personal Data
• If You fail to provide data
• Username

  1. WHY AND HOW WE USE YOUR PERSONAL DATA

• General purposes
• Detailed purposes and legal basis
• Direct marketing of own similar goods and services

4.RETENTION

• Criteria used to determine retention period
• Details on Our retention periods

  1. RECIPIENTS OF YOUR PERSONAL DATA

• Processors
• Authorised disclosures
• Group companies/other brands for Safer Gambling Purposes
• Group Companies/other brands for AML purposes
• Data sharing for AML and Safer Gambling Purposes between brands
• Corporate restructuring
• Joint Controllers

  1. INTERNATIONAL TRANSFERS

  2. DATA SECURITY

  3. YOUR RIGHTS UNDER DATA PROTECTION LAWS

• Right of access
• Right to rectification
• Right to Erasure (right to be forgotten)
• Right to data restriction
• Right to data portability
• Right to object certain processing
• Right to withdraw consent
• Right to lodge a complaint
• What We may need from You
• Time limit to response
• Different brands

  1. AUTOMATED PROCESSING – PROFILING

• Safer Gambling Profiling
• Direct Marketing Profiling
• Sports Risks Segments Profiling

COOKIES

  1. IMPORTANT INFORMATION AND WHO WE ARE

1.1. Purpose of this Privacy Policy This Privacy Policy aims to give You information on how We collect and process Your Personal Data through or in conjunction with Your use of this Website. This Privacy Policy stipulates details and conditions of collecting and processing your personal details and provides You with information in terms of articles 12 and 13 of the and 20 of GDPR. This Website is not intended for children and We do not knowingly collect Personal Data relating to children (below 18 years of age).

1.2. Controller

LeoVegas Gaming PLC is the controller and responsible for Your Personal Data (referred to as "LeoVegas", "We", “we”, "Us" or "Our" in this Privacy Policy). We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this Privacy Policy. If You have any questions about this Privacy Policy, including any requests to exercise rights, please contact Us or the DPO using the details set out below. 1.3. Contact Details

General email address: privacy@leovegas.com

DPO email address: dpo@leovegas.com

Postal address: LeoVegas, Level 7, The Plaza Business Centre, Bisazza Street, Sliema SLM 1640, Malta

1.4. Changes To The Privacy Notice And Your Duty To Inform Us Of Changes We reserve the right, at Our complete discretion, to change, modify, add and/or remove portions of this Privacy Policy at any time. You shall be informed by Us of any material changes made to this Privacy Policy (as well as other terms and conditions relevant to the Website). We shall also archive and store previous versions of the Privacy Policy for Your review upon request.

  1. THE DATA WE COLLECT ABOUT YOU

2.1. Personal Data means any information that identifies You as an individual or that relates to an identifiable individual.

Whenever it is not possible or feasible for Us to make use of anonymous and/or anonymised data (in a manner that does not identify any Users of the Website or customers of Our services), We are nevertheless committed to protecting Your privacy and the security of Your Personal Data at all times.

2.2. Data obtained from You

We collect from You, through interaction with You or through Your interaction with Us or our services, different kinds of Personal Data about You which We have grouped together as follows:

a) Registration Data provided by you when You register and/or open an account with Us including your first name, surname, username or similar identifier, date of birth, gender, country.

b) Contact Data includes address, email address and telephone number.

c) Identification and Verification Data (Anti-Money Laundering/Due Diligence/KYC data) that include your first name, surname, address, proof, age, nationality, family members, degrees and qualifications, schools/universities attended, employment history and information, media involvement, financial status information (e.g. bank statement, source of income and source of wealth, tax information), masked credit card details, proof of e-wallet ownership such as Neteller, Skrill, Paypal, Paysafe, Trustly, KYC documentation (e.g. ID card, Power of attorney).

d) Safer Gambling Data including first name, surname, postcode email, phone number, country, date of birth, with respect to swedish player social security number [personnummer], approved and denied transactions (deposits and withdrawals), Identification and Verification Data, Self-exclusion Data.

e) Self-exclusion Data include data pertaining to You and Your self-exclusion such as Your Registration and Contact Data and Your self-exclusion information such as reason, start and date, utilisation of self-exclusion tools such as exclusions, session limit, loss limit, wager limit, deposit limit, reality check.

f) Payments Data includes bank/payment account details, as well as information pertaining to a transaction such as currency, location, amount/value, client IP, user ID, token.

g) Transaction and Usage Data generated through Your use of Our services and include payments to and from You (deposits, withdrawals, failed deposits and reversed withdrawals) and other details of services You have purchased from Us (such as bets, wagers (real and bonus), wins), date and time of the transactions, account balances (bonus and real), bonuses used (conversion and forfeiture), bonuses turnover, bonuses balance, channels used, transaction games played, language, country, account balances.

h) Log in Data includes internet protocol (IP) address, Your logins (first login, last login, last failed login), duration of logins, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices You use to access Our services.

i) Profile Data includes internal notes to Your account, interests, preferences, feedback, information about events which You have attended; Your preferences as to whether You wish to attend any events, and what type of events You prefer; any bonus/cash back deals, or bonus preference You have been offered or benefitted from; whether You have received any giveaways or, and Your preferences regarding what type of gifts You would like to receive; Your preferences as to contact channels; information regarding Your hobbies and interests.

j) Marketing Communications Data includes Your preferences in receiving marketing from Us (opt in/opt out), as well as Your Contact and Registration Data.

k) Other Communication Data provided by You in communication with Us (via recorded calls, chats, email, or SMS) which may include various data such as Your intentions, interests, complaints, preferences, as well as internal communication and notes.

l) Analytics data include various data provided by your observed with respect to Your use of our Website and services such as Your player ID, language, location, browser data, campaigns utilised, channels used, device, payment provider, Transaction and Usage data and in case of online acquisition analytics also pages visited, postcards clicked, scroll depth. Certain information is collected using cookies and/or similar tracking technology – please see further section on Cookies.

2.3. Data from different sources

2.3.1. We collect information about you for AML/CFT purposes which we source from third party providers (private companies working with public sources), including but not limited to GBG Group and Experian Limited which includes information as to whether you are a politically exposed person and whether any international or financial sanctions have been imposed, and/or information on any corporate or property ownership, court judgements and/or insolvency. Moreover, background information is, using so-called OSINT (Open-Source Intelligence) collected from publicly available sources (e.g. Google search, all social media services like Facebook, Twitter, Pinterest, Instagram, LinkedIn as well as other services/sites like pipl.com, https://www.zoopla.co.uk/, https://www.glassdoor.com and companies house)

2.3.2. To comply with our legal obligations stemming from applicable laws and license conditions (notably the Gambling Act 2005), We collect Self Exclusion Data from other licensed gaming operators belonging to the LeoVegas Mobile Gaming Group, namely Royal Panda Limited. Likewise, for the same purposes, LeoVegas uses Self Exclusion Data collected with respect to any other brands under which LeoVegas operates its licensed gaming business.

2.3.3. With respect to players who are registered with GAMSTOP, the UK National Online Self-Exclusion Scheme, we receive certain Self-Exclusion Data from GAMSTOP such as whether you are/are not or have previously been self-excluded. This information is received once you login. Registration with GAMSTOP does not mean that you will immediately stop receiving communication from the LeoVegas Mobile Gaming Group, including accounts held with LeoVegas and Royal Panda Limited. Communication will cease once you advise us that you have registered with GAMSTOP, or once you try to login, whichever occurs first.

2.3.4. Profile data (hobbies, interests) are also gathered by search of publicly available sources such as Facebook, LinkedIn, Twitter,Instagram and Google search.

2.3.5. In order to prevent and detect fraud and misuse of our systems (e.g. use of VPN), certain Login Data, such as; IP address, device model/type, browser information, operating system and other device identification data are sourced and processed by Us utilizing a services of third-party fraud detection software provider.

2.3.6. We obtain information on Your sports risk segment (Sports Risk Data) from our sportsbook provider SBTech (Global) Limited (SBTech). SBTech does not obtain Your real name or email address and does not process any of Your personal data on an identified basis. Please contact Us if You have any queries as to how SBTech processes Your personal information or if you wish to exercise any of your data subject rights.

2.4. Special Categories of Personal Data

We do not collect any special categories of Personal Data about You (this includes details about Your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about Your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. However, from Our experience, We may not exclude that You, at Your own discretion, send Us such data in communication with Us.

Please note that although ID cards are processed, images contained therein are not specifically processed to allow or confirm unique identification. Therefore, such data is not to be considered biometric data (special category of data).

2.5. If You Fail To Provide Personal Data

Where We need to collect personal data by law, or under the terms of a contract We have with You and You fail to provide that data when requested. We may not be able to perform the contract We have or are trying to enter into with You (for example, to provide You with Our services).

2.6. Username

Please make sure that Your username does not contain any personally identifiable information, as the username is shared with certain partners and in the course of the sharing of the username, this is not, separately, considered Personal Data. Please contact Us if your user name contains Your personally identifiable data, so We can make proper arrangements to protect Your Personal Data and guide You as to how to change the username.

  1. WHY AND HOW WE USE YOUR PERSONAL DATA

3.1. We will only use Your Personal Data when the law allows us to.

Most commonly, We will use Your Personal Data in the following circumstances:

• To allow You to participate in games to provide ancillary services to You;

• To allow You access and use of the Website;

• For legal and regulatory reasons, to comply with Our legal obligations and license conditions such as anti-money laundering and safer gambling;

• For identification and verification purposes;

• For purposes that constitute a legitimate interest of LeoVegas regarding direct marketing of its own similar goods and services via live telephone call, postal mail or electronic mail as provided below; and

• For analytics purposes.

3.2. Detailed purposes and legal basis

We have set out below, in a table format, a description of all the ways we plan to use Your Personal Data, and which of the legal bases we rely on to do so. We have also identified what Our legitimate interests are where appropriate. Note that We may process Your Personal Data for more than one lawful ground depending on the specific purpose for which We are using Your Personal Data. Please contact us if You need details about the specific legal ground We are relying on to process Your personal data where more than one ground has been set out in the table below.

Purpose Data Category Legal Basis
To register you as a new player; to identify you and verify you when you access your Account to allow you to participate in Games Registration Data
Contact Data
Log-in Data
Performance of the contract with you
To allow your participation in the Games Transaction and usage data Performance of the contract with you
To process and manage your payments transactions Payments Data
Transaction and Usage Data
Performance of the contract with you
To manage our relationship with you, to communicate with you, to provide you with access to Games and any ancillary services Registration Data
Contact Data
Profile Data
Other Communication Data
Transaction and Usage Data
Self-exclusion Data
Performance of the contract with you

Compliance with the legal obligations
For AML/CFT and due diligence purposes Registration Data
Contact Data
Identification and Verification Data
Transaction and Usage Data (As further specified in Clause 9)
Compliance with legal obligations
To establish and investigate any suspicious behaviour in order to protect our business from any risk or fraud Registration Data
Contact Data
Identification and Verification Data
Log in Data
Payments Data
Other Communications Data
Legitimate interest (detection and prevention of fraud)
Identification and investigation of gaming activity for responsible gaming purposes Safer Gambling Data
Self-exclusion Data
Other Communications Data
Compliance with legal obligations
Safer gambling profiling Safer Gambling Data
Transaction and Usage Data
Other Communication Data (As further specified in Clause 9)
Compliance with legal obligations
To ensure that self-excluded players with respect to LeoVegas or any other brand/company within the group are duly self-excluded and do not access Our services (e.g. Games) and to handle and action requests made by the customer relating to the use of the Safer Gambling Tools through the website Self-exclusion Data Compliance with legal obligations
Direct Marketing of our own goods and services (Games) - incl. Bonuses and offers (further information in clause 3.3) Marketing Communications Data Legitimate interest (to promote our own Service, to develop our business and enhance relationship with you by targeted offers)
UK (unless permitted otherwise): Consent
Direct Marketing of our own goods and services (Games) - loyalty programme (further information below in clause 3.3) Registration Data
Contact Data
Marketing Communications Data
Profile Data
Legitimate interest (to promote our own Service, to develop our business and enhance relationship with you by targeted offers)
UK (unless permitted otherwise): Consent
Social Media Marketing Contact Data Legitimate interest (to promote our own Service, to develop our business and enhance relationship with)
UK (unless permitted otherwise): Consent
Customer segmentation for the purpose of tailored offers and bonuses sent via direct marketing Transaction and Usage Data
Registration Data
Sports Risk Data (As further specified in Clause 9)
Legitimate interest (to promote our own Service, to develop our business and enhance relationship with you by targeted offers)
Loyalty programme purposes to (i) offer you attendance to events which would be of interest to you and possible guests, based on previous attendance; (ii) offering bonuses and other gifts which would be of interest to you, based on previous bonuses or gifts you may have benefitted from; (iii) contacting you on your preferred contact channels Profile Data
Registration Data
Contact Data
Transaction and Usage Data
Legitimate interest (to promote our services, improve your experience with our services and for offers to you as part of our tailored loyalty programme)
Customer segmentation for the purpose of tailored offers and bonuses sent via direct marketing Transaction and Usage Data
Registration Data (As further specified in Clause 9)
Compliance with legal obligations
Legitimate interest (to promote our services, improve your experience with our services and for offers to you as part of our tailored loyalty programme)
To monitor player activity, detect and prevent fraud and to manage risk exposure Sports Risk Data Performance of the contract with you
Compliance with legal obligations
Legitimate interest (detection and prevention of fraud and management of risk exposure)
Commercial business analyses for the creation of standard, periodical Transaction and Usage Data
Registration Data (As further specified in Clause 9)
Legitimate interest (to develop our products/services and grow our business)
Web Analytics Analytics Data
Transaction and Usage Data
Legitimate interest (to develop our products/services and grow our business)

Legitimate interest (to develop our products/services and grow our business)

3.3. Direct Marketing Of Own Similar Goods And Services

3.3.1. Direct Marketing of Own Similar Products and Services via electronic mail: In accordance with applicable laws and in reliance on Regulation 9(2) of the Processing of Personal Data (Electronic Communication sector) Regulations (S.L. 586.01) and Recital 47 of the GDPR, LeoVegas may inform You, from time to time, via electronic mail (email or SMS) about its own similar products or services (for example any changes on the Website, new Games, own new services and promotions, bonuses and offers, loyalty programme/VIP experience). You may opt out at any time and free of charge of such service, as applicable, either by:

• Activating the relevant link at the end of such message; • Contacting Us; or • Changing the settings in Your profile.

3.3.2. Live Direct Marketing Calls & Postal Mail: In accordance with applicable laws and in reliance on Regulation 9(3) of the Processing of Personal Data (Electronic Communications Sector) Regulations (S.L. 586.01) as well as Recital 47 of the GDPR, LeoVegas may place calls to You or send You postal mail for direct marketing purposes unless you oppose this. If You do not wish to receive such direct marketing calls or postal mail, You may opt out at any time and free of charge of such service either by:

• Contacting Us; • Informing the caller in the case of a phone call; or • Changing your settings in your profile.

3.3.3. Please note that even if You object to receiving direct marketing material from, from time to time We may still need to send You certain important communications from which You cannot opt-out.

3.3.4. With respect to players registered after 31.10.2018, LeoVegas can inform you, from time to time, about its products or services offers (for example any changes on the Website, new Games, new services and promotions, bonuses and offers, loyalty programme) via email, SMS, live phone call or ordinary mail only and exclusively in case they decided and consented to receive such communications from Us (so-called Opt-in). Such consent may be granted either when registering on Our Website or, alternatively, by changing the settings on Your account by selecting one or more of the available channels (SMS, Telephone, Email, Social Media, Post). It is understood that, if You decide to not receive any communication from Us, You won’t be updated on the latest offers and bonuses related to our products and services. Players registered prior to 31.10.2018 will receive the above-mentioned promotion information via live calls only subject to Your consent.

  1. RETENTION 4.1. Criteria used to determine retention period

We will only retain Your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

The criteria We use to determine what is ‘necessary’ depends on the nature of the particular Personal Data in question. Our normal practice is to determine whether there is/are any specific EU and/or national law(s) (for example license requirement, tax or corporate laws) permitting or even obliging Us to keep certain Personal Data for a certain period of time (in which case We will keep the Personal Data for the maximum period indicated by any such law) and if not, whether there are any laws and/or contractual provisions that may be invoked against Us by You and/or third parties and if so, what the prescriptive periods for such actions are.

In the latter case, We will keep any relevant Personal Data that We may need to defend Ourselves against any claim(s), challenge(s) or other such action(s) by You and/or third parties. Where Your Personal Data is no longer required by Us, We will either securely delete or anonymise the personal data in question.

4.2. Details on our retention periods

RETENTION SCENARIO DATA CATEGORIES (HIGH LEVEL) PURPOSE LEGAL GROUND DURATION START OF THE PERIOD
1 Registration Data
Transaction and usage data
Tax and Accounting Legal obligation 10 years Transaction
2 Identification and verification data (KYC/AML)
Payments data
AML Legal obligation 5 years Closure of account
3 Registration data
Transaction and usage data
Other communication data
Profile data Payments data
Defence of legal claims brought by customers Legitimate interest 6 years Closure of account
4 Registration data
Contract data Identification and verification data
SG data
Self-exclusion data
Transaction and usage data
Payments data
Profile data
Other communications data
Defence of claims brought by authorities (UK) Legitimate interest 2 years Closure of account
5 Identification and verification data
Safer Gambling data
Self-exclusion data
Other communications data
SG (closure of the account) Legal obligation 5 Years Closure of account
6 Identification and verification data
Safer gambling data
Self-exclusion data
UK - temporary exclusion Legal obligation 7 years Exclusion
7 Registration and contact data
Log in data
SG (permanent self-exclusion ) Legal obligation Indefinite Closure of the account / permanent self-exclusion
8 Transaction and usage data
Registration data
Sports risk data
Possibility to communicate with the Player (in relation to tailored offers and bonuses) in case of the Account reopening by the Player Legitimate interest 2 years Closure of account

Further details of retention periods for different aspects of Your Personal Data are available in Our retention policy which You can request from Us by contacting Us.

  1. RECIPIENTS OF YOUR PERSONAL DATA

5.1. Recipients of your Personal Data

As LeoVegas’s business partners, suppliers or service providers are responsible for certain parts of the overall functioning or operation of the Website, Games and other services, Personal Data is processed also by them for the above mentioned purposes on behalf of LeoVegas.

We require all third parties to respect the security of Your Personal Data and to treat it in accordance with the law. We do not allow Our third-party service providers to use Your Personal Data for their own purposes and only permit them to process Your Personal Data for specified purposes and in accordance with Our instructions, after thorough vetting of these partners and on the basis of strict data processing agreements.

5.1.1. Details on the categories of the processors of the Personal Data

• Game providers for the purpose of provision of games.

• Sportsbook provider for the purpose of provision of sportsbook service and risk management purposes.

• Payment service providers to perform payment transactions (deposits and withdrawals).

• Marketing suppliers/partners to perform certain marketing activities on behalf of LeoVegas.

• Marketing consultants to provide marketing advice to LeoVegas.

• Service providers that technically enable communication with You (via email, chat, SMS, telephone).

• Technical suppliers to support functioning of the Website and Our technical systems (both front and back end).

• Technical administrators of the database to maintain the functioning of the database.

• AML providers providing and/or processing certain data for the purposes of compliance with Our AML obligations.

• Services providers regarding or organisation and booking emails, trips and/or delivery of presents and gifts with respect to Our loyalty programme.

• Cloud services providers for provision of cloud based services such as storage or hosting certain software.

• Service providers for the purpose of data analytics.

• Credit rating agencies, fraud detection agencies, anti-money laundering agencies for fraud detection and control purposes, in the processing of Your account and associated transactions.

• Companies within LeoVegas Mobile Gaming group to provide certain services/support with functions of LeoVegas.

•Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.

5.2. Authorised disclosure

If You are suspected to have breached Our terms and conditions or any applicable laws (for example when We suspect that a crime may have been committed), or for the purpose of preventing, detecting or surpassing fraud LeoVegas has a right to:

• Forward Your Personal Data to the government authorities;

• Share any of Your Personal Data to the relevant gambling regulator;

• Share Your Personal Data with relevant law enforcement and/or crime investigation bodies and assist the same with any type of investigation into Your actions;

• Respond to any Court subpoena or order or similar official request for Personal Data; or

If You are suspected to have breached the provisions of the UK Gambling Act 2005, LeoVegas shall have the right to forward Your personal information to the UK Gambling Commission and shall provide any details as the UK Gambling Commission may so request.

5.3. Group companies/other brands for Responsible Gaming Purposes

Your Self-Exclusion Data is, for the purpose of compliance with legal obligations, notably obligation under the Gambling Act 2005 and Our license conditions, shared also with other companies within the LeoVegas Mobile Gaming Group, that operate licensed gambling activity, namely Royal Panda Limited.

5.4. Group companies/other brands for AML Purposes

Your Identification and Verification Data (first name, surname, date of birth and postcode) is, for the purpose of compliance with legal obligations, shared between various brands under which LeoVegas operates its gambling activities.

5.5. Data sharing for AML and Responsible Gaming Purposes between brands

Your Identification and Verification Data, Transaction and Usage Data, Registration Data and Contact data are for the purpose of compliance with legal obligations, shared with as well as sourced via various brands under LeoVegas operates its gambling activities.

5.6. Corporate restructuring

Third parties, incl. any companies forming part of the LeoVegas Mobile Gaming Group, to whom We may choose to sell, transfer, or merge parts of Our business, assets or operations or as a result of restructuring. Alternatively, We may seek to acquire other businesses or merge with them. If a change happens to Our business, then the new owners may use Your personal data in the same way as set out in this Privacy Policy.

5.7. Joint controllers

Certain data is shared with other parties, acting as joint controllers. The following are the details on the essence of the joint-controller arrangements:

Iovation

The following data is shared with Iovation: Login data in the extent : Unique Account Identifier representing the Account End Users hold with LeoVegas, Device Attributes of the End User’s Electronic Device including, IP address, End User logins (first log in last login, last failed login), duration of logins, browser type and version, time zone setting and location, browser plug-in types and versions, operating system, device ID, IP Country, IP Region, IP ISP related to each player.

The essence of the Joint Controller Arrangement between LeoVegas and Iovation:

• LeoVegas and Iovation jointly process personal data for the purpose of Prevention and in-vestigation of fraud. • Iovation act as a separate and independent controller for the following activities:

  • Improving services;
  • Machine Learning;
  • Sharing data across various operators/providers; • LeoVegas responds to data subjects' requests.

In other cases, each party acts as a sole controller. However, We will in all cases be responsible for handling any queries that You may have with respect to Iovation's data processing activities.

Further information on the Iovation’s processing activities may be found at https://www.iovation.com/legal/privacy.

  1. INTERNATIONAL TRANSFERS Certain of Our suppliers and partners (as listed above) are based outside the European Economic Area (EEA) so their processing of Your Personal Data will involve a transfer of data outside the EEA.

Whenever we transfer Your Personal Data out of the EEA, We ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• Transfer of Your Personal Data is performed to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see here.

• Where We use certain service providers, We may use specific contracts approved by the European Commission which give Personal Data the same protection it has in Europe. For further details, see here.

• Where We use providers based in the US, We may transfer Personal Data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US. For further details, see here.

Please contact Us if You want further information on the specific mechanism used by Us when transferring Your Personal Data out of the EEA.

  1. DATA SECURITY We have put in place appropriate security measures to prevent Your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In order to comply with GDPR, various technical controls ensure data and information are always encrypted during transit and at rest using industry standard encryption techniques across the board. This ensures confidentiality and integrity at all times. At an organisation level, the handling of all information is governed by Our comprehensive Information Security Policies. This is complemented by an information Security awareness programme designed to specifically ensure We embrace security best practices whenever it comes to handling information.

In addition, We limit access to your Personal Data to those employees, agents, contractors and other third parties who have a need to know business requirement. They will only process your Personal Data on Our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected Personal Data breach and will notify You and any applicable regulator of a breach where We are legally required to do so.

  1. YOUR RIGHTS UNDER THE DATA PROTECTION LAWS You may, at any time, with reasonable intervals, request Us to confirm whether or not We are processing Personal Data that concerns You and, if We are, you shall have the right to access that Personal Data and to the following information:

• What Personal Data We have,

• Why We process it,

• Who We disclose it to,

• How long We intend on keeping it for (where possible),

• Whether We transfer your Personal Data abroad and the safeguards We take to protect it,

• What Your rights are,

• How You can make a complaint,

• Where We got Your Personal Data from, and

• Whether We have carried out any automated decision-making (including profiling) as well as related information.

You can request this information by contacting Us using the contact details set out above.

Upon such request, We shall (without adversely affecting the rights and freedoms of others including Our own) provide You with such additional information and/or with a copy of the Personal Data undergoing processing within one month of receipt of the request, which period may be extended by two months where necessary, taking into account the complexity and number of the requests. We shall inform You of any such extension within one month of receipt of the request, together with the reasons for the delay.

8.2. The Right to Rectification

You have the right to ask Us to rectify inaccurate personal data and to complete incomplete Personal Data concerning You. We may seek to verify the accuracy of the data before rectifying it.

8.3. The Right to Erasure (The Right to be Forgotten)

You have the right to ask Us to delete Your Personal Data and We shall comply without undue delay but only where:

• The Personal Data is no longer necessary for the purposes for which it was collected;

• You have withdrawn Your consent (in those instances where We process on the basis of Your consent) and We have no other legal ground to process Your Personal Data;

• You shall have successfully exercised Your right to object (as explained below);

• Your Personal Data has been processed unlawfully;

• There exists a legal obligation to which We are subject; or

• Special circumstances exist in connection with certain children’s rights.

In any case, We shall not be legally bound to comply with Your erasure request if the processing of Your Personal Data is necessary:

• For compliance with a legal obligation to which We are subject (including but not limited to Our data retention obligations); or

• For the establishment, exercise or defence of legal claims.

There are other legal grounds entitling Us to refuse erasure requests although the two instances above are the most likely grounds that may be invoked by Us to deny such requests. You may request the erasure by contacting Us.

8.4. The Right to Data Restriction

You have the right to ask Us to restrict (that is, store but not further process) Your Personal Data but only where:

• The accuracy of Your Personal Data is contested (see the right to data rectification above), for a period enabling Us to verify the accuracy of the Personal Data; or

• The processing is unlawful, and You oppose the erasure of Your Personal Data; or

• We no longer need the Personal Data for the purposes for which they were collected but You need the Personal Data for the establishment, exercise or defence of legal claims; or

• You exercised Your right to object and verification of Our legitimate grounds to override Your objection is pending .

Following Your request for restriction, except for storing Your Personal Data, We may only process Your Personal Data:

• Where We have Your consent; or

• For the establishment, exercise or defence of legal claims; or

• For the protection of the rights of another natural or legal person; or

• For reasons of important public interest.

You may request the restriction by contacting Us.

8.5. The Right to Data Portability

You have the right to ask Us to provide Your Personal Data to You in a structured, commonly used, machine-readable format, or (where technically feasible) to have it 'ported' directly to another data controller, provided this does not adversely affect the rights and freedoms of others. This right shall only apply where:

• The processing is based on Your consent or on the performance of a contract with You; and

• The processing is carried out by automated means.

If you are a customer of another gaming operator and would like to have Your Personal Data “ported” to Us, please contact Us. In this respect please note that notwithstanding any portability right utilisation, You will still be expected to provide all Registration and Contact Data due to the requirements of Our customer registration / sign up procedure requirements.

8.6. The Right to Object to Certain Processing

In those cases where We only process Your Personal Data when this is: 1) necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Us; or 2) when processing is necessary for the purposes of the legitimate interests pursued by Us or by a third party (as indicated in the Table in clause 3.2 above), You shall have the right to object to processing of Your Personal Data by Us.

When Your data is processed for direct marketing purposes, You have the right to object at any time to the processing of Your Personal Data, which includes profiling to the extent that it is related to such direct marketing.

For the avoidance of all doubt, when We process Your Personal Data as is necessary for the performance of a contract, when necessary for compliance with a legal obligation to which We are subject or when processing is necessary to protect Your vital interests or those of another natural person, this general right to object shall not subsist.

With respect to Direct marketing of our own goods and services incl. related profiling, You may object to such processing at any time by contacting Us or by selecting Your preferences on your account Profile – Settings page.

8.7. Right to withdraw consent (when we process your data on the basis of consent)

In those cases where We process on the basis of Your consent (which We will never presume but which We shall have obtained in a clear and manifest manner from You), YOU HAVE THE RIGHT TO WITHDRAW YOUR CONSENT AT ANY TIME and this, in the same manner as You shall have provided it to Us.

Should You exercise Your right to withdraw Your consent at any time (by writing to Us at the physical or email address below). We will determine whether at that stage an alternative legal basis exists for processing Your Personal Data (for example, on the basis of a legal obligation to which We are subject) where We would be legally authorised (or even obliged) to process Your Personal Data without needing Your consent and if so, notify You accordingly.

When We ask for such Personal Data, You may always decline, however should You decline to provide Us with necessary data that We require to provide requested services, We may not necessarily be able to provide You with such services (especially if consent is the only legal ground that is available to Us).

Just to clarify, consent is not the only ground that permits Us to process Your Personal Data. In the last preceding section above We pointed out the various grounds that We rely on when processing Your Personal Data for specific purposes.

8.8. The Right to lodge a Complaint

You also have the right to lodge complaints with the appropriate Data Protection Supervisory Authority. The competent authority in Malta is the Office of the Information and Data Protection Commissioner (OIDPC). We kindly ask that You please attempt to resolve any issues You may have with Us first (even though You have a right to contact the competent authority at any time).

8.9. What We May Need From You

When exercising your rights by contacting Us, We may need to request specific information from You to help us confirm Your identity and ensure Your right to access Your personal data (or to exercise any of Your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact You to ask you for further information in relation to Your request to speed up Our response.

8.10. Time Limit To Respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if Your request is particularly complex or You have made a number of requests. In this case, we will notify You and keep You updated.

8.11. Different Brands

LeoVegas is operating its gaming business also under other brands and trademarks. For the purpose of the exercise of your rights as provided above, and for the purpose of clarity and legibility of our reply, We will initially comply with the requests with respect to data processed under the brand from where the request is originating. Should You wish your requests to be complied with respect to all of the brands with respect to which LeoVegas operates its business, please make sure to flag this in Your request.

  1. AUTOMATED PROCESSING - PROFILING

9.1. Meaningful information about the logic involved in the automated processing for safer gambling purposes

LeoVegas is on the basis of the applicable laws and license conditions, legally obliged to monitor its players in order to identify people who may be experiencing, or at risk of developing, problems with their gambling, and interact with them to offer help or support. To this end, and to fulfil this obligation, by using historic data describing behaviour of players , in particular certain Safer Gambling Data, Transaction and Usage Data, and Other Communication Data (in particular notably sentiment used in message) LeoVegas has established rules regarding who is likely to suffer from gambling addiction and then take relevant action.

Our approach is based on classification trees because they allow for clear interpretation of why players get classified as potential gambling addicts. Based on data describing unique players, the algorithm provides Us with an estimated probability of gambling addiction. Decisions, on the basis of the prediction, are not taken automatically without human intervention.

9.2. Meaningful information about the logic involved in the automated processing for AML purposes

LeoVegas is, on the basis of the applicable laws and license conditions, legally obliged to monitor its players in order to identify potentially suspicious activities regarding AML/CFT. Based on data describing the behaviour of players, in particular Transaction and Usage Data, the algorithm suggests a risk profile.

Decisions, on the basis of the prediction, are not taken automatically and require human intervention.

9.3. Meaningful information about the logic involved in the automated processing for loyalty/key account segmentation purposes

By making use of the historical data that players generated in their first 2 days, We assess whether You will qualify for our key account/loyalty program. This model is used on new players and depending on Your involvement with our services the account status is predicted. The result of the model is a prediction as to whether the player will become eligible for key account management. Apart from gender, country and age, we do not make use of personally identifiable information as input in the model. Decisions, on the basis of the prediction, are not taken automatically without human intervention. The process is based on our compliance with legal obligation and with respect to the loyalty offers, on legitimate interest of LeoVegas regarding providing customised, quality experience for the players and reward loyalty of the players. You can object to such processing by contacting Us or changing Your preferences in your account.

9.4. Meaningful information about logic involved in automated processing with respect to direct marketing segments

By making use of Your Transaction and Usage data, certain Registration Data such as gender, country, date of birth and Your overall interaction with our services, We analyse and establish various segments of the customers. These segments are then processed manually, in order to ensure that We provide the most appropriate offers and bonuses to Our customers. These decisions are not taken automatically without human intervention. The process is based on legitimate interest of LeoVegas regarding providing customised, quality experience for its players and reward loyalty of the players. You can object to such processing by contacting Us or changing Your preferences in Your account.

9.5. Meaningful information about logic involved in automated processing with respect to Sports Risks Segments

LeoVegas is manually processing your Sports Risks Segments as established by the sportsbook provider – SBTech. The Sports Risk Segments are established by SBTech on the basis of automated profiling performed by SBTech. They use automated processing to suggest a risk profile, however such risk profile is confirmed or amended by SBTech’s personnel. In conjunction with provision of its services, SBTech uses automated risk management technology to assess the risk of particular betting activities. If You seek to undertake a bet that falls outside of the parameters associated with Your risk profile, the bet is flagged for SBTech’s personnel to review. To safeguard Your rights and interests, SBTech allows You to contest any decision that they make about Your risk profiling or to object to Our use of profiling. To this end, please contact Us (LeoVegas). More information on processing activities performed by SBTech please contact Us.

9.6. Meaningful information about logic involved in automated processing with respect to Game recommendation

By making use of Your Transaction and Usage data, We provide you a list of games that are aligned with Your taste. The system determines your affinity towards different games and generalises Your preferences to unseen games. Ranking the computed preferences, an ordered list of games is produced and can be served as recommendations. The games recommendation is produced without human intervention. The process is based on legitimate interest of LeoVegas regarding providing customised, quality experience for its players.

  1. COOKIES

Our Website uses cookies.or further information on what cookies are, which cookies We use, how and why We use cookies, and how You can control which cookies are dropped, please read Our Cookies Policy.