DATA PROTECTION POLICY

The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act (Cap 586) regulate the processing of personal data whether held electronically or in manual form. The Responsible Gaming Foundation is set to fully comply with the Data Protection Principles as set out in The Data Protection Act.

Purposes for collecting data

The Responsible Gaming Foundation collects and processes information to carry out its obligations in accordance with present legislation. All data is collected and processed in accordance with Data Protection Legislation, Data Processing Services Agreements and the Gaming Act.

Recipients of data

Personal Information is accessed by the employees who are assigned to carry out the functions of the Responsible Gaming Foundation. Personal Data may also be disclosed to all competent regulatory authorities or entities according to law.

Your rights

You are entitled to know, free of charge, what type of information the Responsible Gaming Foundation holds and processes about you and why, who has access to it, how it is held and kept up to date, for how long it is kept, and what the Unit is doing to comply with Data Protection Legislation.

The GDPR establishes a formal procedure for dealing with data subject access requests. All data subjects have the right to access any personal information kept about them by the Responsible Gaming Foundation, either on computer or in manual files. Requests for access to personal information by data subjects are to be made in writing and sent to the Data Controller of the Responsible Gaming Foundation.

Your identification details such as ID number, name and surname have to be submitted with the request for access. In case we encounter identification difficulties, you may be required to present an identification document.

The Responsible Gaming Foundation aims to comply as quickly as possible with requests for access to personal information and will ensure that it is provided within a reasonable

timeframe and in any case not later than one month from receipt of request, unless there is good reason for delay. When a request for access cannot be met within a reasonable time, the reason will be explained in writing to the data subject making the request. Should there be any data breaches, the data subject will be informed accordingly.

All data subjects have the right to request that their information is not used or is amended if it results to be incorrect. Data subjects may also request at any time, that their data is erased. Such request shall be done in writing.

These rights may be restricted, if applicable, as perRegulation (EU) 2016/679.

The controller shall take the appropriate measures in accordance to what the law regulates, when information has been provided by the data subject, whether the data subject has given his consent or otherwise.

In case you are not satisfied with the outcome of your access request, you may refer a complaint to the Information and Data Protection Commissioner, whose contact details are provided below.

Retention Policy

Your personal data is collected ‘inter alia’ as per Article 6 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and subject to such terms as stipulated in the said Regulation.

When processing is based on the consent of the data subject, then in such case, the Responsible Gaming Foundation shall retain such personal data, up to and until the data subject withdraws his or her consent at any time.

When processing is in relation to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old.

Where the child is below the age of 16 years, such processing shall only be lawful if and to the extent that consent is given by the holder of parental responsibility over the child.

When processing is not based on the consent of the data subject, the data controller shall provide the data subject with the information as clearly established under Article 14 of Regulation (EU) 2016/679 and ‘inter alia’ with the legal basis for processing and the recipients of such data.

The following schedule outlines the retention requirements for the various categories of documentation within the Responsible Gaming Foundation of the data subject.

Data that needs to be destroyed after the noted time frames will be disposed of in an efficient manner ensuring that such information is no longer available within the Responsible Gaming Foundation.

The data subject shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data.

Furthermore, the data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay when –

(i) the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed

(ii) the data subject withdraws consent on the basis that the personal data is no longer necessary

(iii) the data subject objects to the processing by automated means of personal data as per article 21(1) of Regulation EU) 2016/679,

(iv) the personal data has been unlawfully processed

(v) the personal data has to be erased for compliance with a legal obligation in Union or

Member State law to which the controller is subject;

The Data Protection Officer may be contacted on dpo.rgf@rgf.org.mt or by telephone on +356 21 499030/1.