Privacy Policy

The Cyprus Gaming and Casino Supervision Commission has its registered office in 3 Thaleias Str, 1st floor, 3011 Limassol, Cyprus. The Commission in the course of its activities processes the personal data of data subjects and is a data controller regulated by the Cyprus Office of the Commissioner for Personal Data Protection. Our website is hosted with a third party located in the Republic of Cyprus, but your information may be stored elsewhere within the EEA depending on the location of the third party’s storage facilities. By accessing the Commission’s website or data collection processes or otherwise engaging with the Commission, its Officers, Commissioners, employees or designated third parties, you are agreeing to these terms of engagement.

We collect your personal data from various sources, including:

• Personal data you give us directly
• Personal data which are produced from the execution of our contractual relationship
• Personal data which are produced during the compliance with our legal obligations including as supervisory authority and regulator for casino gambling in Cyprus and as the AML supervisory authority for casino gambling.

We collect personal information about you when you:

• Contact us for advice or information via the website or telephone
• Make an application for a license
• Use our website
• Enquire about a job opportunity
• Work for or with the Commission
• Exchange business cards or contact details with an employee or Officer of the Commission
• Attend one of our informational or consultation events
• Provided by the licensed casino operator in the course of discharging its legal requirements to us or in the course of an investigation

We do not collect personal data from other sources without your previous notice.

We may collect data about licensees, prospective licensees, job applicants, our current and former employees, suppliers, service providers and expert consultants.

We do not collect any personal data from your accessing the website, except for information that you submit via the various forms accessible on our website. The information collected may include but may not be limited to the following personal information: name, title/position, email address, organization/company name, business address, business telephone, mobile number, credit card details and billing information, screen name or passwords, opt-in selections, work history, and details of any convictions.

In the future, we may offer users the opportunity to sign up for an email news bulletin, in which case we would collect data from you for that purpose. We will collect information via certain third parties such as Google Analytics in order to enhance and focus improvements on our website for visitors. This will include the downloading of certain forms or documents residing on the Commission’s website server, and information shared between your computer, Internet Service Provider, browser or other data, with our server.

We will collect any information about the individuals contained in any email, website contact forms or telephone calls between the individuals and the Commission.

We collect information from prospective or current licensees that may include employment history, company director and ownership information, financial information, criminal records, information about reputation and associations, and records of compliance in other jurisdictions.

In the future, we may collect information about you from third parties that we work with for the purposes of providing or delivering licensee benefits, communication and services or general communications. For example, we may wish to send email updates about licensing changes or upcoming deadlines using a third party who is able to deliver ‘bulk’ emails. Similarly, in the future we may engage a third party to help provide online application systems to process credit card payments and other forms of payment systems.

Such third parties would collect information directly from you on our behalf.

These third parties may or may not be located within the European Economic Area (EEA) boundary.

Our website may contain content and links to other websites, functions and processes that are owned, operated and managed by third parties. As such, we do not control these third-party websites, functions or processes (including their policy on cookies) and our Privacy Policy does not apply to them. You should consult the Terms and Conditions and the Privacy Policy of the relevant third- party websites to understand their Data Collection practices and policies.

We may use your data for the following purposes:

• to provide you with information or advice that you have requested from us
• for general administrative, accounting and licensee registration operations
• for analytical purposes to enable us to develop our website and identify relevant content
• to keep you informed about our services, our insight into casino gambling trends and information that may be of interest to you
• to provide information on where those with gambling problems can find assistance and to protect vulnerable persons and minors
• to share information with third parties to deliver Commission’s services (a future development)
• to invite you one of our informational events or consultations
• to process a license application
• to process job applications
• to fulfil our obligations as an employer
• to adhere to Cyprus and EU law and regulations, including as supervisory authority and regulator for casino gambling and AML
• to process payments and collections relating to licensing applications
• for investigations of issues and complaints within our legal authority

Your personal information in the European Economic Area (EEA) is protected by data protection laws, other countries do not necessarily protect your personal information in the same way. The EEA covers all countries in the EU plus Norway, Liechtenstein and Iceland. Under various agreements with regulators outside the EEA, we may transfer personal data of licensees or applicants for licenses outside the EEA. Such transfers may be made on the basis of your consent or as a condition to the licence.

In particular, the lawful basis for processing data subject’s data are as follows:

• Article 6 par. 1b GDPR permits processing where it is necessary for the performance of a contract to the data subject, are counterparty or in order to take steps at the request of the data subject prior to entering into a contract;

On this basis we rely, for example, for processing personal data during applications or negotiations of any kind of procurement procedure, contract, or commercial agreements for provision of goods or services to the Commission by holding and processing the information internally and/or disclosing your data when required by a third party recipient, bank and insurance organization through which we can fulfill our contractual obligations to you.

• Article 6 par. 1c GDPR permits processing where it is necessary for compliance with a legal obligation to which the controller is subject.

This applies to our statutory obligations such as our role as casino and AML supervisory authority and regulator in Cyprus, for tax or insurance requirements, and to process license applications and issue licenses for individuals or legal entities in relation to casino gaming or supply of goods and services related thereto.

• Article 9 par. 2b GDPR permits processing necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject. On this basis we rely, for example, for processing your data in relation to processing of employment applications and holding of Commission employee personal information.
• Article 6 par. 1e GDPR permits processing where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (ar. 6 par. 1 lit. e GDPR)

On this basis we rely to carry out our legal obligations as a supervisory and regulatory authority for casinos under the Casino Operations and Control Law 2015, Casino Operations and Control Law (General) Regulations 2016 and AML supervisory authority for casinos under the Prevention and Suppression of Money Laundering Activities Law.

• Article 9 par. 2g GDPR permits processing where it is necessary for reasons of substantial public interest, on the basis of Union or Member State law We rely on this basis to carry out our legal obligations as a supervisory and regulatory authority for casinos and AML supervision of casinos.

We inform you that during the fulfillment of our legal obligations as a supervisory authority, we may process personal data related to criminal convictions and offenses.

Processing of such personal data or related security measures based on Article 6(1) are carried out only under the control of the Commission and on occasion contractors engaged to perform investigations that are subject to a confidentiality agreement.

The Commission retains your personal data for as long as the processing purpose persists, and after its expiration, we lawfully maintain your personal data when it is necessary to comply with a legal obligation under ΕU or national law (for example, Labor, Tax Insurance and Administrative Law) as well as in the case where the maintenance is necessary for the foundation, exercise or support of the legal claims of the Commission.

• We retain personal data both online in secure servers and offline in paper files. Our website hosting service monitors and maintains updated technology and security protocols for its website to protect data. Data held in paper files or archived offline for general administrative operations is secured and/or destroyed.
• When you give us personal information, we take steps to ensure that it’s treated securely and strive to protect it on our internal systems. Our secure server systems encrypt your information. We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with government standards. If you email service does not support TLS, you should be aware that any email we send or receive may not be protected in transit.
• We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
• However, we cannot guarantee that unauthorized third parties such as ‘hackers’ will never access your information after breaching security measures.
• We will retain your information for as long as is necessary to provide a licensing and regulatory service and for as long as is required for legal (including tax and accounting) purposes.

• We will disclose your information to our employees, service providers and expert consultants as necessary to perform their duties and tasks for the Commission. However, we only disclose the personal information necessary to deliver that service and have a contract in place that requires them to keep your information secure and not to use it for other purposes.
• We will disclose your data or information if required by law, for example by a court order or for the prevention of fraud or another crime. We may send information about you to the police and other parties in the justice system in order for them to investigate, prosecute or otherwise perform their functions.
• Our IT systems support provider acts as a data processor on our behalf. They do not routinely access the data on our systems but may have to provide maintenance and upgrade services which gives them access to the data.

Right of Access

You have the right to receive a) confirmation regarding the processing of your data, and b) a copy of your personal data.

Right to rectification

You have the right to obtain from the Commission the rectification of inaccurate personal data concerning you, or ask to have incomplete personal data completed, when they are inaccurate.

Right to erasure

You have the right to obtain from the Commission the erasure of personal data concerning you, if you no longer wish to have such data processed and if there is no legitimate reason for the Commission to retain it as a controller.

In particular, this right shall be exercised:

• when the lawful basis for processing is your consent and you withdraw it, so the data should be deleted if there is no other lawful basis for processing.
• when your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed or unlawfully processed or if you object to the processing and there are no compelling and legitimate reasons for processing.

It should be noted, however, that this is not an absolute right, as the further retention of personal data by the Commission is lawful when necessary for reasons such as compliance with a legal obligation of the Commission or the foundation, exercise or support of legal claims.

Right to restriction of processing

As an alternative to the right to erasure and the right to object, you have the right to request that the Commission processes your data only in specific cases.

When do you have this right?

When:

– you correctly bring to the attention of the Commission the inaccuracy of all or part of your data, and the Commission as Controller examines and confirms the inaccuracy

– the processing is unlawful, or

– the data is no longer necessary for the purpose of processing, but you ask the Commission to retain it for the exercise and defense of your legal claims,

– You have exercised the right to objection and the Commission as a controller is examining the existence of an overriding legal interest therein.

The exercise of this right may be combined with the right to rectification and the right to object.

Specifically,

1. a) If you request the rectification of your inaccurate data, you may request a restriction of processing for as long as the Commission examines the rectification request,
2. b) If you request the right to objection, you may request at the same time the limitation of the processing for as long as the Commission examines the claim.

Right to data portability

You have the right to receive your personal data that has been processed by the Commission as a controller in a structured, commonly used and machine-readable format (for example XML, JSON, CSV, etc.). You also have the right to ask the Commission to transmit this data to another processor without any objection.

The right to portability can only be exercised by you when all of the following conditions are fulfilled:

• personal data are processed by automated means (printed forms are excluded)
• the lawful basis for processing is either your consent or the performance of a contract to which you are a party (Article 6 (1) (c) of the GDPR);
• It is your own personal data as the data subject that are processed and has been provided by you.
• the exercise of the right does not adversely affect the rights and freedoms of others.

Right of objection

You have the right to oppose, at any time and for reasons related to your particular situation, to the processing of personal data concerning you when the processing is based either on a task performed in the public interest or on where the Commission has a legitimate interest, including profiling.

The Commission will be required to stop such processing unless it demonstrates imperative and lawful reasons for processing that override your interests, rights and freedoms, or for the foundation, exercise or support of legal claims.

Right to non-automated individual decision-making including profiling. If the Commission needs to make a decision that produces legal effects for you based solely on automated processing the following apply:

• The Commission as a controller may lawfully make such a decision only if you have given us your explicit consent or when the decision is necessary for the conclusion or performance of a contract between us or if such a decision is permitted by EU or national law, which provides for appropriate measures to protect the rights of the subject.
• If this decision is made as necessary for the conclusion or performance of a contract between us, namely the Commission as a controller and you as the data subject or upon your explicit consent, you have the right to challenge this decision, so that the Commission will be obliged to apply measures to protect your rights, ensure human interference in decision-making, or the right to express an opinion and challenge your decision as a subject of the data.
• If the Commission intends to perform automated data processing, including profiling, it will provide you, upon receipt of your data (when collected by you) or in a reasonable time (when taken from another source) and the following additional information:
• whether and to what extent automated decision-making takes place, including profiling,
• on the logic followed,
• on the importance and predicted consequences of the processing,
• information on the subject’s right to object, which is clearly and separately described from any other information.
• in any case of profiling, you are entitled to limit the processing at any stage,
• The Commission will be required to delete the relevant personal data if the basis for profiling is your consent and it is revoked or if you exercise the right to delete its data and if there is no other legal basis for processing in accordance with the provisions of the GDPR Regulation.

Our legitimate interests

We believe that all of the purposes we process data are justified on the basis of our legitimate interests in operating the Commission and acting as supervisory authority and regulator for casino gambling and AML in the Republic of Cyprus, our legal requirements under Cyprus and EU law, and our obligations as a public law legal body and a responsible employer.

Your interests

When we process your personal information for or legitimate interests, we will consider and balance any potential impact on you and your rights under data protection and any other relevant law. Our legitimate interests do not automatically override your interests- we will not use your personal activities for activities where our interests are overridden by the impact on you (unless we have your consent or otherwise required or permitted to by law.)

Commissioner

If you find that your personal data is being processed unlawfully or your personal data has been violated, provided that you have previously contacted the Commission for the matter and you have exercised your rights towards the Commission, and you either did not receive a reply within one month either you believe that the answer you received from the Commission is inadequate and your issue is not resolved, you can contact the Office of the Commissioner for Personal

Data Protection address: Iasonos 1, 1082 Nicosia, Cyprus Postal address P.O.Box 23378, 1682 Nicosia, Cyprus Tel: +357 22818456 Fax: +357 22304565 for more information see the Web Portal

http://www.dataprotection.gov.cy.

The Commission shall implement appropriate technical and organizational measures to ensure an adequate level of protection of personal data in order to prevent the destruction, loss, alteration during any unauthorized access, disclosure or transmission to a non-entitled person or entity in any way.

The Commission has business continuity and disaster recovery plans that are periodically tested and updated and has in fact established and implemented appropriate policies and procedures for the security and protection of the data it processes.

In addition to this, the Commission has reviewed the contracts it holds with processors to require them to respect your personal data under the GDPR by taking and enforcing measures to secure them from risks of destruction of loss of altered unauthorized access to disclosure or transmission to a non-entitled person or entity in any way and by requiring a confidentiality clause.

The accuracy of your information is important to us. If you change your contact details or if you want to update any of the information, we hold on you, please contact us by email at dpo@cgc.org.cy or by post at: 3 Thaleias Str, 1st floor, 3011 Limassol, Cyprus.

You have the right to ask for a copy of the personal information the Commission hold relating to you, subject to any contrary provisions of other Cyprus or EU law. To do this please contact us by email at dpo@cgc.org.cy or by post at 3 Thaleias Str, 1^st floor, 3011 Limassol, Cyprus.

We will keep our Privacy Policy under review and will update it as necessary.