The  General  Data  Protection Regulation  (EU)  2016/679 (GDPR) and  the Data  Protection Act (Cap 586) regulate the processing of personal data whether held electronically or in manual form.  The  Responsible  Gaming  Foundation  is  set  to  fully  comply  with  the  Data  Protection Principles as set out in The Data Protection Act.


Purposes for collecting data


The  Responsible  Gaming  Foundation  collects  and  processes  information  to  carry  out  its obligations  in  accordance  with  present  legislation.    All  data  is  collected  and  processed  in accordance  with  Data  Protection  Legislation,  Data  Processing  Services  Agreements  and  the Gaming Act.


Recipients of data


Personal  Information  is  accessed  by  the  employees  who  are  assigned  to  carry  out  the functions of the Responsible Gaming Foundation.  Personal Data may also be disclosed to all competent regulatory authorities or entities according to law.


Your rights


You are entitled to know, free of charge, what  type of information  the Responsible Gaming Foundation holds and processes about you and why, who has access to it, how it is held and kept  up  to  date,  for  how  long  it  is  kept,  and  what  the  Unit  is  doing  to  comply  with  Data Protection Legislation.


The GDPR  establishes a formal procedure for dealing with data subject access requests.   All data  subjects  have  the  right  to  access  any  personal  information  kept  about  them  by  the Responsible Gaming Foundation, either on computer or in manual files. Requests for access to  personal  information  by  data  subjects  are  to  be  made  in  writing  and  sent  to  the  Data Controller of the Responsible Gaming Foundation.


Your identification details such as ID number, name and surname have to be submitted with the request for access.   In case we encounter identification difficulties, you may be required to present an identification document.


The Responsible Gaming Foundation aims to comply as quickly as possible with requests for access  to  personal  information  and  will  ensure  that  it  is  provided  within  a  reasonable


timeframe and in any case not later than one month from receipt of request, unless there is good reason for delay. When a request  for access  cannot  be met  within a reasonable time, the reason will be explained in writing to the data subject making the request.   Should there be any data breaches, the data subject will be informed accordingly.


All data subjects have the right to request that their information is not used or is amended if it  results  to  be  incorrect.   Data  subjects  may  also  request  at  any  time,  that  their  data  is erased.  Such request shall be done in writing.


These rights may be restricted, if applicable, as perRegulation (EU) 2016/679.



The controller shall take the appropriate measures   in accordance to what the law regulates, when information has been provided by the data subject, whether the data subject has given his consent or otherwise.


In  case  you  are  not  satisfied  with  the  outcome  of  your  access  request,  you  may  refer  a complaint  to  the Information and  Data  Protection  Commissioner,  whose  contact  details  are provided below.


Retention Policy


Your personal data is collected ‘inter alia’ as per Article 6 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and subject to such terms as stipulated in the said Regulation.


When  processing  is  based  on  the  consent  of  the  data  subject,  then  in  such  case,  the Responsible  Gaming  Foundation  shall  retain  such  personal  data,  up  to  and  until  the  data subject withdraws his or her consent at any time.


When processing is in relation to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old.


Where the child is below the age of 16 years, such processing shall only be lawful if and to the extent that consent is given by the holder of parental responsibility over the child.

When  processing  is  not  based on  the consent  of the  data  subject,  the  data  controller shall provide  the  data  subject  with  the  information  as  clearly  established  under  Article  14  of Regulation (EU) 2016/679 and ‘inter alia’ with the legal basis for processing and the recipients of such data.


The  following  schedule  outlines  the  retention  requirements  for  the  various  categories  of documentation within the Responsible Gaming Foundation of the data subject.

DPP Table

Data that needs to be destroyed after the noted time frames will be disposed of in an efficient manner ensuring that such information is no longer available within the Responsible Gaming Foundation.


The data subject shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data.


Furthermore, the data subject shall have the right to obtain from the Controller the erasure of personal data concerning him  or her without undue delay  and the Controller shall have the obligation to erase personal data without undue delay when –


(i) the personal data is  no longer necessary in relation to the purposes  for which they were collected or otherwise processed

(ii)  the  data  subject  withdraws  consent  on  the  basis  that  the  personal  data  is  no  longer necessary

(iii) the data subject objects to the processing by automated means of personal data as per article 21(1) of Regulation EU) 2016/679,

(iv) the personal data has been unlawfully processed

(v)  the  personal  data  has  to  be  erased  for  compliance  with  a  legal  obligation  in  Union  or

Member State law to which the controller is subject;



The Data Protection Officer may be contacted on or by telephone on +356 21 499030/1.



General Manager


The Responsible Gaming Foundation’s Data Controller may be contacted at:



90/91, Second Floor, Psaila Street, Birkirkara, BKR9073

Telephone:  21499030/1




The Information and Data Protection Commissioner


The Information and Data Protection Commissioner may be contacted at: Level 2, Airways House,

High Street, Sliema  SLM 1549

Telephone:  +356 23287100