Valid from 12 August 2019
Your trust is important to us!
You’re playing it safe by gambling on mycasino. We respect your privacy and our top priority is to protect your data.
Grand Casino Luzern AG (hereinafter referred to as ‘GCL’ or ‘the Organiser’) has set itself the goal of providing users (hereinafter referred to as ‘the Player’) with a safe and socially acceptable, personalised online gambling experience. To be able to offer the range of games on the mycasino.ch website (hereinafter referred to as the ‘gambling platform’) and the associated services, the Organiser must process the Player’s personal data. The Organiser protects the Player’s privacy and undertakes to protect their personal data.
The Organiser complies with Swiss legislation, particularly the applicable laws and regulations concerning data protection, and especially the Swiss Federal Act on Data Protection (FADP). The Organiser is also certified by the ‘[email protected]®’ and ‘ISO/IEC 27001 Information Security Management System’ labels.
Grand Casino Luzern AG is responsible for collecting and processing personal data. Grand Casino Luzern AG’s company data protection officer is also available to the Player as a contact for matters related to data protection.
Grand Casino Luzern AG (Commercial register no. CHE-108.361.212) Haldenstrasse 6 6006 Lucerne Switzerland Email: [email protected] Tel.: +41 (0)41 418 56 56 Data Protection Officer Grand Casino Luzern AG Haldenstrasse 6 6006 Lucerne Switzerland Email: [email protected] Tel.: +41 (0)41 418 56 56
Legal bases for data processing and data transfer
As a licensed Swiss casino, the Organiser is particularly subject to the following Swiss laws and ordinances concerning gambling that require the casino to collect and process personal data:
- Federal Act on Gambling (Gambling Act, GamblA)
- Ordinance on Gambling (Gambling Ordinance, GamblO)
- FDJP Ordinance on Casinos (FDJP Casinos Ordinance, CO-FDJP)
- Federal Act on Combating Money Laundering and the Financing of Terrorism (Anti-Money Laundering Act, AMLA)
- Ordinance of the Federal Gaming Board on the Diligence of Casinos in Combating Money Laundering (FGB’s Anti-Money Laundering Ordinance, AMLO-FGG)
To fulfil its legal obligations, and particularly to protect the Player from excessive gambling and to combat crime and money laundering, the Organiser processes the following data and may disclose the same to the supervisory authority:
- Data collected during the Player’s online registration.
- Data about the Player’s gambling behaviour and financial transactions.
- Data about the Player’s personal, professional and financial situations.
- Data about the Player’s suspension.
Player data is transferred in pseudonymised form to a data recording system located in Switzerland, which provides the Player data for the supervisory authority. See Para. 5 for the data retention duration.
Data collected by the Organiser
Data that the Player provides to the Organiser
The Organiser collects personal data that the Player provides to the Organiser in connection with the player account. To be able to use the range of games on offer, the Player must have a player account on the gambling platform.
When opening a player account, the Player must provide personal information about themselves (first name, surname, date of birth, sex and nationality) and their residential address (street, postcode, town/city, country).
In the context of converting their account from a temporary player account to a final one, the Player will be asked to provide a copy of an official identification document (passport, identity card, driver’s licence) and proof of residence (e.g. bank/postal account statement or electricity, water, landline bill) to verify the personal details and residential address provided.
The Organiser collects the personal data that the Player provides to the Organiser for administration of the gambling platform, including the processing of payment transactions.
The Player will also provide the Organiser with data if they contact the Organiser, take part in the Organiser’s activities or otherwise transfer data to the Organiser.
The Organiser is entitled to demand salary statements, proof of assets or tax documents from the Player in order to fulfil the legal obligations to combat money laundering and the financing of terrorism or to be able to implement early detection measures to identify a possible gambling addiction.
Data that the Organiser collects from other sources
In addition to the data that the Player provides to the Organiser, the Organiser may collect and/or update personal data from third parties (e.g. public registers, credit agencies, subcontractors).
The data that the Organiser collects through third parties includes:
- Identification details such as the first name, surname, date of birth and residential address details to ensure that the information provided by the Player is correct.
- Data from game providers indicating whether the Player has committed fraud or otherwise breached the General Terms and Conditions, bonus regulations, game rules or applicable laws in the past. The Organiser also collects data on the Player’s playing behaviour, including segmented data, and profile data.
- Data that the Organiser must check by law, e.g. to determine whether the Player is a politically exposed person in the context of the Federal Act on Combating Money Laundering and the Financing of Terrorism.
- Data to prevent fraud, other criminal offences and improper conduct against the Organiser and/or other players. This includes checking devices connected to the internet to assess the risk of fraud and to determine whether fraudulent behaviour has occurred in the past.
Data that the Player generates through using the gambling platform
The Organiser collects data resulting from the use of the range of games on offer, including transactions to and from the player account. This means that the Organiser stores and processes data about how the Player uses the gambling platform. This information includes, for example, games that the Player plays, the services used, the promotions used, the events attended, the payment transactions made from/to external payment providers and correspondence between the Player and the Organiser.
Purpose of personal data processing
The Organiser collects and processes the Player’s personal data if doing so is necessary to fulfil the contractual and legal obligations. The table below gives an overview of the purpose of the Organiser’s collection and processing of personal data and the legal bases. Insofar as the collection and processing of personal data is necessary for the Organiser to conclude the contract with the Player and to fulfil its contractual obligations, this is not mentioned further in the table.
Purpose Justification of the necessity of data processing Legal basis Player account registration Processing is necessary so that the Player can open a player account with the Organiser. The full range of games on offer requires the Player to register for a player account on the gambling platform. Player account – If you want to have access to an online range of gambling entertainment, you need to create a player account with the Organiser (Art. 47 GamblO). Identity/address verification To ensure that the Player exists and is a resident of or has their habitual abode in Switzerland, the Player’s details are checked with credit agencies when the player account is opened and a copy of an official identification document or an electricity, water or landline bill in the Player’s name is requested from the Player. Fulfilment of legal obligations – Personal data needs to be collected and processed to enable the Organiser to fulfil its legal verification obligations (Art. 47 et seq. GamblO). Management of the range of games on offer and the Player’s data Processing is necessary to provide the range of games on offer, including the transfer of funds between the player account, accounts held with external payment providers and the Organiser’s bank accounts, to manage customer funds and to manage the Player’s data. Data processing is also necessary to maintain the customer relationship between the Player and the Organiser. Compliance with legal due diligence obligations – Processing is necessary to fulfil one or more of the Organiser’s legal obligations (Arts. 3 and 13 AMLO-FGG). Provision of an individual and personalised range of games Processing is necessary to provide the Player with personalised content on the gambling platform, as well as specific offers and similar promotions. See introductory remark. Delivery and provision of good-quality customer service The Organiser offers customer services by chat, email and phone. The Organiser uses the information that the Player provides to resolve problems and to investigate and respond to complaints concerning the gambling platform. The Organiser also records conversations with customers to ensure the quality of the Organiser’s customer service and for training purposes to improve and further develop the Organiser’s customer service. See introductory remark. In the event that a person who is not a customer contacts the Organiser’s customer service, processing is based on legitimate interests. Processing is necessary to protect the Organiser’s interests and the Player’s interests with regard to clarifying the matter. Prevention of misuse of the gambling platform, plus prevention and investigation of violations against the Organiser and/or the Player Processing is necessary to prevent and investigate fraud or other criminal offences. Processing is also necessary to prevent and investigate a) attempts to illegally log into player accounts, or b) other actions that are prohibited by law or the agreement between the Player and the Organiser and by the Organiser’s or the game provider’s game rules. Processing is also necessary to provide a safe gambling experience, to improve and further develop the Organiser’s IT environment and to protect the Player and their player account from attacks and intrusion. See introductory remark. In cases where processing is not necessary to fulfil the agreement between the Player and the Organiser, such processing is based on a legitimate interest in protecting the gambling platform from misuse and violations against the Organiser or the Player. Responsible gambling
- Protecting the Player from gambling addiction and from making bets that are disproportionate to their income and assets.
- Compliance with legal and regulatory requirements.
- Offering functions and services that help the Player to control their gambling behaviour.
The Organiser processes personal data if the Player uses the following features and offers: Functions and services provided by the Organiser to allow the Player to make informed decisions about their gambling behaviour, such as deposit limits, temporary withdrawal from gambling or reminders regarding their own gambling activity. Questionnaires and/or self-tests and financial documents requested by the Organiser to obtain the necessary information to comply with legal obligations. The Organiser also processes data resulting from the use of the range of games on offer, including profiling of gambling behaviour, to identify, combat and prevent problematic gambling and to comply with legal obligations. The Organiser also processes personal data to ensure that the Player is not registered in a suspended persons register (veto register) and to respond to requests if the Player wishes to be excluded from the gambling platform. The Organiser is legally obligated to suspend a Player if it is suspected that the Player in question is insolvent, does not meet their financial obligations or takes risks by making bets that are disproportionate to their income and assets. The Organiser processes anonymised data to evaluate the effectiveness of the measures taken and to conduct research in the field of preventing addiction. Compliance with legal obligations – Processing is necessary to fulfil one or more of the Organiser’s legal obligations (Arts. 76 to 81 GamblA and Arts. 87 to 91 GamblO). In cases where there is no legal obligation, the processing is done to protect the Player and is based on the Organiser’s legitimate interest in responsible gambling. Management of events and other occasions, promotions, competitions and tournaments, including travel and award ceremonies The Player has the opportunity to take part in promotions, competitions, tournaments and events organised by the Organiser. For the Player and any accompanying person to take part in these activities, their personal data needs to be processed to manage participation. See above remark. Marketing of the range of games on offer The Organiser processes personal data to advertise its products, services and promotions as well as events. The Organiser also processes personal data through what is known as ‘profiling’ to propose tailor-made offers and marketing measures to the Player. The Player may waive their right to receive personalised offers generated through the creation of profiles by changing their personalised marketing settings in their player account at any time. In the player account, the Player can also choose what communication channels they want to use to receive personalised offers. Legitimate interest – Processing is based on a legitimate interest in marketing the range of games on offer, including various events organised or sponsored by the Organiser. Communication The Organiser communicates with the Player through various communication channels such as email, mobile phone, gambling platform notifications, messages to their gambling platform inbox and other similar channels. Messages from the Organiser may contain information about the Organiser, availability and security of the gambling services, reminders and marketing announcements from the Organiser and its business partners. The Player can change their communication settings in their player account at any time. It must be noted that the Player may not unsubscribe from the Organiser’s service notifications containing customer information, safety notices and legal notices. Contract performance – Some notifications are necessary to enable the Organiser to meet its obligations under the agreement between the Player and the Organiser, such as the obligation to provide information on security and legal matters. Legitimate interest – Some notifications are based on a legitimate interest in being able to send information about the Organiser, its products and services, as well as its promotions. Further development of the range of games on offer and conducting surveys as well as performing business analyses and statistical calculations
Processing is necessary to further develop and improve the range of games on offer and to make them user-friendly for the Player.
Among other things, the Organiser analyses the usage behaviour of the range of games on offer to be able to take measures for improvement and development.
Legitimate interest – Processing is based on a legitimate interest in improving and developing business activities, including the range of games on offer, and the interest in providing players with a user-friendly range of games. Veto list (suspension) If a Player would like to be suspended or has to be suspended for gambling, their personal data is added to a veto list. This list must also be consulted by other Swiss casinos and lotteries. Compliance with legal due diligence obligations – Processing is necessary to fulfil one or more of the Organiser’s legal obligations (Arts. 76 to 82 GamblA and Arts. 87 to 91 GamblO). Fulfilment of the Organiser’s legal obligations in general Processing is necessary to fulfil the Organiser’s obligations under law and the jurisdiction of courts and authorities. The Organiser is obligated to comply with the applicable laws, e.g. ensuring safe and transparent gambling operations, providing protection against gambling addiction, preventing crime and combating money laundering and the financing of terrorism. Compliance with legal obligations – Processing is necessary to fulfil one or more of the Organiser’s legal obligations.
Processing for other purposes
In principle, personal data is only processed for the purposes for which it was collected. However, personal data may also be processed for other purposes if they are compatible with the original purposes or if doing so is necessary for legal reasons.
Duration of data storage
The Organiser does not store data for longer than is necessary for the stated purposes. In principle, the Organiser stores personal data for up to three years following termination of the customer relationship to comply with legal requirements and to support the Player if necessary and ensure business continuity if the Player returns to the Organiser. The data is then deleted or anonymised so that it can no longer be linked to the Player as a person. However, the Player may request that the Organiser anonymise their personal data earlier if the customer relationship is terminated and the Organiser does not need the personal data to comply with its legal obligations.
Depending on the purpose or the existing legal retention and documentation obligations, the Organiser may store personal data for less than three years following termination of the customer relationship. For example, the Organiser may store personal data if the Player has taken part in events, promotions, competitions or tournaments, including travel and award ceremonies, until such time that the same have been completed and the follow-up to the event in question has been completed.
The Organiser must also store some of the personal data for longer than three years following termination of the customer relationship to comply with legal, official and/or licensing conditions. For example, the Organiser is obligated to retain some of the personal data for an indefinite period of time if it relates to a voluntary or ordered suspension from gambling. A retention period of ten years following termination of the customer relationship applies to data relating to combating money laundering and the financing of terrorism (Art. 21 AMLO-FGG). This data includes:
- List of all identified players
- Copies of identification documents
- Documentation relating to registered transactions
- Players’ declarations of the beneficial owner
- Documentation and notes relating to the results of specific clarifications
- Documentation and notes relating to risk classification and to the results of the use of the risk characteristics
In such cases, the Organiser processes only those parts of the personal data that are required for these specific purposes.
The Organiser may also process personal data for more than three years following termination of the customer relationship if the personal data is involved in ongoing legal proceedings.
All documentation relating to reported money laundering is kept for five years following the reporting date and then immediately destroyed.
If customer conversations are recorded, the Organiser stores such recordings for 90 days.
In the event that the Player does not wish to receive information about the Organiser’s marketing activities or revokes their consent, the Organiser will stop processing personal data for this specific purpose.
Automated decisions for individual players
To comply with the legal requirements, the Organiser checks some of the personal data and makes automated decisions based on these checks. This also includes decisions concerning the Player’s right to use the games that the Organiser has on offer.
The Organiser applies other automated decisions regarding responsible gambling, which may include blocking players or transactions in the player account. The aim of these decisions is to prevent problematic gambling, identify gambling problems and draw the Player’s attention to their gambling behaviour.
The Organiser may also terminate a customer relationship or block a player account if a Player is inactive and it is likely that the Player in question will not use the range of games on offer.
Disclosure and transfer of personal data
Disclosure of personal data
The Organiser must disclose personal data if it is obligated to do so due to laws, requirements or the prompting of an authority (e.g. police, public prosecution department), which may also include disclosing the data in cases where the Organiser suspects that a criminal offence has been committed.
To provide some of the range of games on offer, the Organiser works together with what are known as ‘data processors’, i.e. companies that process personal data on behalf of the Organiser according to their instructions. The Organiser cooperates with the following data processors:
- Game providers to be able to offer a wide range of games.
- IT companies that provide IT solutions for operation, technical support and customer service, as well as for maintaining the range of games on offer and other activities carried out by the Organiser.
- Companies that offer payment solutions, such as banks, acquirers and other payment service providers, insofar as these companies do not act as independent data controllers.
- Companies that provide services to combat and detect fraud, other criminal offences and/or other impermissible conduct.
- Companies that engage in marketing, such as media and advertising agencies and affiliates.
Personal data will only be disclosed to data processors for purposes that are consistent with those for which the Organiser has collected personal data, e.g. to meet the Organiser’s contractual obligations.
The Organiser monitors and ensures that each data processor provides adequate safeguards with regard to the security, protection and confidentiality of personal data. The Organiser has concluded written agreements with all data processors that regulate the data processors’ obligations. These agreements obligate the data processors to, among other things, comply with the Organiser’s written instructions and the security requirements, restrictions and requirements applicable to personal data transfer.
Within the Organiser’s group of companies
Other companies (independent data controllers)
The Organiser discloses personal data to other companies that the Organiser cooperates with but that do not act as data processors. This means that these companies, being what are known as ‘independent data controllers’, decide for themselves how personal data is processed. The Organiser discloses personal data to the following companies that are responsible for the personal data themselves:
- Companies that offer payment solutions, such as banks, acquirers and other payment service providers.
- Companies that offer booking services for travel, airlines, hotels, etc.
- Companies that award prizes to players for taking part in an event/activity organised by the Organiser.
- Certain game providers that deliver games to the gambling platform.
- The Organiser transfers anonymised data to research institutes to contribute to research in the field of preventing gambling addiction.
In cases where personal data is disclosed to a company that processes personal data independently of the Organiser, the respective company’s privacy policies and regulations concerning the handling of personal data apply.
For further information about the companies that process personal data independently of the Organiser, the Player may contact the Organiser or the following authority: Independent data controllers.
Transfer of personal data
The Organiser places the highest value on data protection. The Organiser’s data protection management bears the internationally recognised [email protected]® certificate, which is awarded for the exemplary implementation of data protection. In line with the Organiser’s high quality standards, personal data is preferably processed within Switzerland, the European Union (EU) and the European Economic Area (EEA). A data centre for the Grand Casino Luzern AG in Switzerland and a data centre in the EU are primarily used to process personal data. In cases where it is necessary to transfer personal data outside of Switzerland or the EU/EEA, e.g. for the purpose of disclosing personal data to a data processor who, either themselves or through one of their subcontractors, stores personal data in a country outside of Switzerland’s borders or the EU/EEA or has its subsidiaries in a country outside of Switzerland’s borders or the EU/EEA, the Organiser takes the necessary and adequate legal, technical and organisational measures to ensure that the level of protection corresponds to that of Switzerland. When personal data is transferred to a country outside of Switzerland’s borders, the level of protection is determined either by the list of countries [Link to the FDPIC’s list of countries] maintained by the Data Protection and PR Officer and containing countries with adequate data protection legislation, or by the fact that the company is linked to Switzerland via the ‘Swiss-US Privacy Shield Framework’. Other suitable safeguards are approved codes of conduct in the recipient country and the application of internal, binding company guidelines.
Rights of access
The Player is entitled to access their personal data that the Organiser processes about the Player. However, the Player’s access rights assume that a) such personal data does not jeopardise the rights and freedoms of third parties, b) access to personal data is not prohibited by legal provisions such as the Federal Act on Combating Money Laundering and the Financing of Terrorism, and c) the information does not jeopardise the outcome of a criminal or other investigation. In cases where it receives a request for information, it must be noted that the Organiser may request further information from the Player to guarantee effective processing of the request and disclosure of the data to the correct person.
Right to rectification and amendment
The Player has the right to have any incorrect personal data rectified and any incomplete personal data amended within the stated purpose. To do so, the Player contacts the Organiser’s Customer Service department and requests that the relevant rectification or amendment be made.
Right to be forgotten
The Player has the right to request that the Organiser erase or remove all or part of their personal data, e.g. if the personal data is no longer required for the purposes for which it was collected or was processed in another way.
It must be noted that the Organiser can reject the request to erase or anonymise the personal data if processing is carried out based on legal obligations applicable to the Organiser such as the Federal Gambling Act or the Federal Act on Combating Money Laundering and the Financing of Terrorism. The Organiser may also reject the request for erasure and anonymisation of the personal data if it has a legitimate interest in processing or if the Organiser requires such personal data to establish, assert or defend legal claims.
Right to restriction of processing
Under certain conditions, the Player has the right to request that the processing of their personal data be restricted. This may be the case, for example, if the Player disputes the accuracy of the personal data or the processing is unlawful and the data subject refuses erasure of the personal data and instead requests that use be restricted.
The Organiser is entitled to continue to store and process personal data for the duration of the restricted processing asserted by the Player to establish, assert or defend legal claims or to protect the rights of other natural or legal persons. The Organiser can also process this data if the Player has given their consent or if public interests require that this be done.
Right to object
The Player has the right to object to certain types of processing, e.g. the processing of personal data for direct marketing and other types of processing, if the Organiser has no legitimate interest in this regard.
The Player can choose which communication channels the Organiser may use to send advertising to the Player using the settings in their player account. If the Player does not wish to receive such notifications, the Organiser will stop sending such information to the Player and stop processing personal data for this purpose.
The Organiser may continue its processing of personal data that has been objected to if it asserts due cause or if the Organiser’s interests take precedence over the Player’s interests until such time that the situation is legally clarified. Otherwise, in the event the Player objects, the Organiser may only process the personal data to establish, assert or defend its own legal claims.
Revocation of consent
If the Organiser bases personal data processing on the Player’s consent, the Player may revoke such consent at any time and at no cost by contacting the Organiser’s Customer Service department.
The revocation of consent will not affect the lawfulness of the processing carried out up to that point in time.
The Organiser takes adequate measures to protect personal data from unauthorised access and from unlawful or unauthorised processing, including theft, erasure, alteration, disclosure and transfer of such personal data. These measures include a) the greatest possible restriction of the group of persons authorised to access personal data, b) the restriction of the authorised persons’ ability to make changes, and c) technical obstacles to infringements, including encryption during transfer and storage, firewalls, strict password requirements and alert functions that report attempted infringements. The data will be pseudonymised if feasible to protect the Player’s privacy as much as possible.