The Isle of Man Gambling Supervision Commission (“the GSC”) is registered with the Isle of Man Information Commissioner as a data controller under Isle of Man data protection legislation.
The purpose of this policy is to explain what information the GSC collects about individuals (‘personal data’), its reasons for doing so and how it holds, uses , secures and discloses that information in accordance with the Island’s data protection legislation, which consists of the legislation below and is collectively referred to the Island’s Data Protection Law:
The Privacy Policy section of our website sets out how the GSC collects and uses information for other specific reasons.
Where reference is made to Manx gambling legislation, this refers to all legislation as detailed in the legislation sections of our website www.isleofmangsc.com/gambling/
For information on how the GSC manages personal data in relation to its regulatory activities for medicinal cannabis, please see our website www.isleofmangsc.com/privacy/
This privacy notice was last updated on 4 July 2024.
If you have any questions about how we process your personal information, you can contact our Data Protection Officer regarding your rights.
By email: DPO-GSC@gov.im
By telephone: 01624 698322
In writing:
Data Protection Officer
Gambling Supervision Commission
Ground Floor, St George’s Court,
Myrtle Street, Douglas,
Isle of Man, IM1 1ED
Section 4 of the OGRA, requires a company to be under the control and management of persons of integrity and competence.
To make submit assessments, the GSC may make such enquiries as may reasonably be expected, to satisfy itself that the corporate entity meets these statutory requirements.
In the event of any suspicion of any specified crimes, including but not limited to money laundering, funding of terrorism, and manipulation of sports competitions, licensees may forward specific player data to the GSC, as well as to other supervisory Authorities.
The GSC is legally bound to process this data in the course of its investigations into these crimes, and may transfer such data to another body, or Authority where the law requires, or permits it to do so. This may include any relevant public authorities, local or overseas, gaming regulators, sports integrity bodies, sports governing bodies, and law enforcement agencies.
The primary purpose for such transfer of data is for the Authority to perform its functions as mandated within the law.
The GSC is designated as a competent authority under Schedule 1 of the GDPR and LED Implementing Regulations 2018. We may share your personal data with other public authorities or law enforcement agencies to help us (or them) to exercise our (or their) functions appropriately, but only where it is lawful and proportionate to do so.
This information may also be relevant to our wider regulatory objectives and statutory functions. We may, for example, derive information from our investigations which help us improve our understanding of the gambling market and assessment of the risks it faces (and potential risks to consumers as a result), and to seek continuous improvements in the market and our regulation of it.
The GSC may also record adverse information obtained during the course of fulfilling its regulatory objectives, in relation to the activities of licence holders and the individuals who control or manage them, in order to safeguard the reputation of the Isle of Man and the international character of gambling, and specifically to preventing gambling from being a source of crime or disorder, associated with crime or disorder, or used to support crime.
We may also act as a prosecutor in relation to certain gambling offences. In this case, the relevant provisions of the Law Enforcement Directive as applied to the Isle of Man, will be engaged.
Personal data obtained for law enforcement purposes is protected under Isle of Man data protection legislation and an individual's rights in relation to such personal data are more limited to reflect the fact that the data subject is subject to law enforcement proceedings.
As part of its regulatory functions aimed at protecting minors and vulnerable persons, the GSC carries out inspections at the premises of licensees.
During such inspections, a sample of players is asked to provide their personal information so as to allow the GSC’s inspectors to confirm that the players are not in the database of self-barred persons or below the age required by law to enter into such gaming premises.
The GSC ensures that such personal data relating to players is only used for the purposes for which it is collected; that is to ensure that the land-based gaming operator is abiding by the legal requirements related to the protection of minors and vulnerable persons that are applicable to him.
The GSC may also receive any other general complaints relating to, for example, any gaming activity or gaming advertisement or data protection issue, to the GSC.
In this case, similarly to the above, the relevant department or individual within the GSC will log the complainant’s details and proceed with its investigation.
Such a complaint may also lead to enforcement action taken by the GSC, or by the Police, and in this case, the complainant’s data will be included within this investigation.
The Island’s Data Protection Law requires that the GSC, as the data controller, provides data subjects with information about his/her personal data processing in a concise, transparent and intelligible manner, which is easily accessible, distinct from other undertakings between the controller and the data subject, using clear and plain language.
The GSC, as the data controller, ensures that only personal data which is necessary for each specific purpose is processed. The Island’s Data Protection Law stipulates that any personal data processed shall be adequate, relevant and limited to what is necessary. This principle shall apply in terms of the amount of personal data collected, the extent of the processing, the period of storage and accessibility.
The GSC also ensures that personal data in its possession is accurate and, where necessary, kept up- to-date. The GSC takes every reasonable step to comply with this principle.
Periodic exercises are carried out by the GSC to ensure data accuracy and to rectify any inaccurate data in its possession.
The GSC ensures that when the need to keep any of the personal data in its possession ceases to exist, such personal data is deleted or anonymised.
The GSC has a Data Retention Policy which details the way in which the GSC abides by this storage limitation principle. Retention periods are generally determined on the basis of the periods mandated by applicable laws.
The Island’s Data Protection Law requires personal data to be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The GSC abides by this principle by ensuring that only those employees that are required to process certain personal data are in fact given access to such personal data.
Furthermore, the GSC has information security measures in place to ensure that risks to any of the personal data in its possession are adequately mitigated. The GSC abides by the Isle of Man Government Information Security Policies.
The GSC, as the data controller, is able to demonstrate compliance with the Island’s Data Protection Law and with all the principles for processing personal data that are hereby stipulated.
This data protection policy outlines the organisational measures that are in place at the GSC that aim at ensuring compliance with the Island’s Data Protection Law.
The GSC is the Island’s gambling regulator and is responsible for the licensing and regulation of both online and land-based gambling operations. This includes the casino, amusement and slot machines, betting offices and lotteries.
The GSC’s regulatory objectives are laid out in the Gambling Supervision Act 2010 and are:
Whilst discharging these functions the GSC has regard to:
Collecting and processing personal data is essential to enable the GSC exercise its statutory functions appropriately.
We generally collect the following categories of personal data to support our regulatory objectives:
Identifying information: such as name, date and place of birth, nationality and other unique identifiers such as government-issued identification and national insurance number.
Contact information: such as telephone number, email address, physical addresses.
Professional information: such as education and employment history including schools and places of higher education attended, relevant qualifications, details of current and previous employment, and academic and employment references, job role etc.
Financial information: such as a person’s financial situation, solvency and any past declarations of bankruptcy and any civil convictions.
Legal information: such as being subject to current or past civil litigation, or being subject to successful investigation by a governmental, professional or other regulatory body.
Criminal activity: this includes current and spent convictions as well as pending changes relating to criminal offences of individuals who control or manage the affairs of licence holders or those entities applying for a gambling licence.
Corporate information: this includes personal information in relation to a corporate entity such as information about the directors, shareholders, legal representatives, ultimate beneficial owners and other key positions such as the money laundering reporting officer.
Special categories of personal data as defined by the GDPR include:
The GSC ensures that any processing of special categories of personal data is only carried out when one of the following applies:
In all cases, the GSC is committed to ensure that any processing is proportionate to the aim pursued, respects the essence of the right to data protection and provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
While fulfilling its role as the regulatory body responsible for the governance and supervision of all gaming activities in and from the Isle of Man, the GSC processes certain personal data relating to both licensees, players, and complainants.
The GSC ensures that it only processes personal data if at least one of the following applies:
The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
The processing is necessary for compliance with a legal obligation (i.e. European or Manx law) to which the GSC is subject;
The processing is necessary in order to protect the vital interests of the data subject or of another natural person;
The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the GSC by European or Manx law;
The processing is necessary for the purposes of the legitimate interests pursued by the GSC, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
In most cases, the GSC's legal basis for processing personal data will be Article 6(1)(e, namely that the processing is necessary in order to perform our public task as the Isle of Man's gambling regulator as set out in law.
The GSC is a designated competent authority for the inspection and investigation of criminal matters identified whilst exercising our statutory functions.
Personal data obtained for law enforcement purposes is protected under Isle of Man data protection legislation, however an individual’s rights in relation to such personal data are more limited to reflect the fact that the data subject is subject to law enforcement proceedings.
In relating to the processing of criminal conviction data, the processing would be necessary for reasons of substantial public interest, namely the exercise of a function of a Statutory Board.
Information we obtain for the purposes of exercising our statutory functions is ‘restricted information’, which includes both personal data and non-personal data.
Our legislation imposes a number of restrictions on the disclosure of restricted information in order to protect the people to whom that information relates and safeguard our ability to exercise our functions appropriately.
These restrictions are subject to certain exceptions to recognise situations where we may need to share personal data to enable us to exercise our functions appropriately. However, we sometimes need to share information with other bodies under statutory powers known as ‘information gateways’. Some examples are shown below. More information is set out in the section ‘Who we share your information with’
With other bodies acting in the public interest in order to exercise our functions effectively or to assist those bodies in carrying out their functions.
With other authorities or law enforcement agencies to help us (or them) to exercise our (or their) functions appropriately.
Sometimes we may be required by another body to disclose personal data under relevant legislation or by court order.
Where that is the case, we will take appropriate steps to ensure:
that your personal data is subject to a similar level of protection in that jurisdiction that it would be in the Isle of Man.
that the type and amount of personal data we share is relevant and proportionate to the purpose for which it is being shared.
that the transfer of data will be in accordance with the law.
Equally, personal data we receive from other bodies will be treated in accordance with this Privacy Notice.
In accordance with our statutory functions and powers, we will share your personal data with third parties to help us (or them) to exercise our (or their) functions appropriately.
We will share with and obtain personal data from third parties such as from complainants, other regulatory bodies, witnesses and experts about persons relevant to a regulatory investigation.
This may include parties such as:
We may also share with and obtain personal data from third party organisations when carrying out our regulatory objectives. The main ones are listed below.
Any personal data we share in this way is shared in accordance with relevant legislation and is limited to the type and amount of data we believe necessary in order to achieve our objectives. It may also be necessary to share information for other reasons, such as legislative obligations in relation to:
In accordance with our statutory functions and powers, we will obtain data from third parties in the following ways (and for the following reasons):
In order to confirm information supplied to us in the licensing application process and/or for the purposes of suitability assessments. This may include data organisations such as LexisNexis Risk Solutions, Accuris Risk Intelligence and LSEG World-Check, as well as public registers, and information from other regulatory bodies. We inform applicants as part of our applications process, that such checks will be made and that the GSC is implicitly authorised to carry out such enquiries as may reasonably be expected to satisfy itself that the statutory requirements are met. To the extent the relevant information requested and/or supplied by these third parties constitutes personal data, this processing will be for the purposes of exercising our official authority and statutory functions as regulator of the gambling industry.
From operators, either at our request or when they are required to report information to us. Obtaining such data from operators is for the purposes of our exercise of our functions, particularly in the context of seeking to achieving our regulatory objects under Isle of Man Gambling legislation. This may include information about problem gamblers, for example, from complainants, members of the public, other regulatory bodies, witnesses and experts about persons who may be relevant to a regulatory investigation
Data provided by licence applicants identifying people relevant to the application who are not the applicants themselves (for example, funders).
In each case, the information is important to the exercise of our regulatory functions; and, we will not generally notify the relevant individuals when such data is received from third parties. In certain circumstances, particularly where there is a possibility of criminal activity being identified and actioned, notification could obviously hinder this process. In other cases, the information is necessary (and failure to provide it could lead, for example, to a refused application or even an offence being committed under any of the Isle of Man gambling legislation) and/or notifying individuals would involve disproportionate effort.
Unless required by a legal obligation applying to the GSC, before transmitting any personal data to a recipient that is external to the GSC and that is situated in a non-EU country:
The GSC establishes that the relevant non-EU country has agreed to maintain a data protection level equivalent to the General Data Protection Regulation; and
Authorisation from the Office of the Information Commissioner will be sought and obtained.
If personal data is transferred from the GSC to a company with its registered office outside of the European Economic Area, the company importing the data is obliged to:
cooperate with any inquiries made by the relevant supervisory authority of the GSC; and
comply with any observations made by the relevant supervisory authority with regard to the processing of the transmitted data.
When personal data is transmitted by a third party to the GSC, it must be ensured that such data can be, and is only used for the intended purpose.
The security and confidentiality of your information is very important to us. We will ensure that safeguards are in place to:
Keep sufficient information to provide services and fulfil our legal responsibilities.
Keep your records secure and accurate and only permit authorised staff to view your information.
Only keep information as long as it is required.
Only the GSC’s personnel are able to view your data.
Your data will only be held on servers that are under the control of the Cabinet Office, Government Technology Services (GTS) and within the jurisdiction of the Isle of Man in line with ISO27001 standard - the ISO standard on information security and hold cyber essentials.
Email communications are stored on the Isle of Man Government email system, Microsoft Outlook and are encrypted and protected in line with government standards. If your email service does not support this encryption, you should be aware that any emails we send or receive may not be protected in transit.
We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
The GSC use Microsoft Dynamics CRM to hold personal and business information relevant to our licence holders. Only certain members of staff will have access to your personal information on CRM and there is security in place to ensure this.
The GSC also use the Isle of Man Government Secure Network – There are strict access controls in place meaning that only those within the GSC can access information stored in folders on our network; in addition, only the teams within the Divisions who are able to access personal information, are those that have a business need to do so.
The administration of CRM and the secure network is undertaken by GTS under a data processing agreement. They should not access your personal data without the GSC’s explicit permission, and only where vital for the administration of the system.
Paper records - We do not routinely store manual records, however, those that are already in storage and a new records we are required to hold any manually are either stored on site or in a third-party storage facility with whom we have a data protection agreements in place.
As part of the GSC's regulatory responsibilities, it may publish consultations on various topics, seeking the views of the industry, companies, parliamentarians, researchers and the public.
Engagement with a public consultation will be at the discretion of the individual. Wherever possible, we will not require personal information from an individual in order to take part in the consultation.
Responses will be considered for the purpose of informing the development of our policy, guidance and other regulatory work in the subject area of the consultation. If contact details are provided, we may use these to monitor responses or contact you in relation to the consultation.
We may publish a summary of the consultation responses, but these will not contain any personal data. If we decide to publish your name (and on whose behalf you have responded) to indicate that you have responded to this consultation, we will only ever do this with your consent.
It is in our legitimate interests to seek the views of licence holders and the wider public to help form our views. Individuals taking part in a consultation do so of their own free will and have the ability to provide their views anonymously or to withdraw their response at any stage. Information on how to do this can be found on the Consultation Hub website or by contacting the GSC’s Data Protection Officer at DPO-GSC@gov.im
The Cabinet Office of the Isle of Man Government run the Consultation Hub. More information on the use of the Consultation Hub, can be found on the Cabinet Office’s privacy notice.
We will only keep your information for the minimum time necessary to perform our regulatory functions. Our general approach is to retain personal information relevant to the operation of a licence holder for a period of six years following the date the relationship with the GSC formally ended. Other personal data collected to during the course of our regulatory activities may be deleted sooner, once the need for processing that data has concluded.
This may be to:
Personal information relevant to the checking of the fitness and propriety of a person to be approved by the GSC will be retained for the minimum period necessary in making that determination.
The need to retain information for historical or archiving purposes by the Public Record Office under the Public Records Act 1999. Click here for more information.
Articles 12 to 22 of the Data Protection (Application of GDPR) Order 2018 set out the rights you have as a data subject.
These rights are subject to the restrictions set out in Article 23.
You have the right to be provided with clear and concise information about what we do with your personal data. This Privacy Notice explains how we collect and process your personal data.
You have the right to access and obtain a copy of your data and certain processing information on request, subject to certain restrictions.
You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
You have the right to ask us to delete your data in certain circumstances. For example:
Personal data will be retained under our legal obligation to carry out our statutory functions, for a period as defined within our Records Retention Schedule.
You have the right to ask us to restrict the processing of your personal information in certain circumstances. For example:
The right to restrict processing is subject to our legal obligation to carry out our statutory functions.
You have the right to object to the processing of your personal information in certain circumstances. In this case, we will stop processing unless we can demonstrate compelling legitimate grounds for continuing the processing, which override your interests.
This only applies in certain circumstances and will therefore depend on the purpose and lawful basis for processing. As most of our processing is conducted in order for us to comply with a legal obligation and/or perform a public task, this right will not be available in most circumstances.
We do not currently carry out any automated decision making.
To receive personal data you have provided to us in a structured, commonly used and machine readable format where it is processed by automated means. You may also request that we transmit this data to another controller. The right to data portability is not applicable for personal data processed where the lawful basis for this processing is necessary for us to perform a task in the public interest or for our official functions.
If you would like to exercise any of these rights, please contact our Data Protection Officer.
Your rights may be limited where we are processing your personal data for certain regulatory activity or law enforcement purposes, such as the inspection and investigation of criminal offences. We will be able to advise you if this is the case when you seek to exercise rights in relation to your personal data.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
You have the right to ask for a copy of any personal information that we may hold about you by making a Subject Access Request
Such requests will be dealt with as a subject access request under Data Protection legislation. We are obliged to provide within 30 days unless an exemption applies unless your request is particularly complex, in which case we are able to extend the response period by a further two months. Where this is the case, we will inform you of our intention to extend the deadline and our reasons for doing so.
To assist us locate the information you need, we ask that you complete the Subject Access Request Form and provide proof of identity and residency. These should be emailed to the DPO-GSC@gov.im.
There may be some circumstances, where an exemption is applicable under GDPR, when we will not be able to provide you with the information that you have requested. We will not be able to provide any information which might identify another individual (third party information), unless that person agrees.
If after you have received the information you have requested, you believe that the information is inaccurate or out of date; or that we should no longer be holding that information or we are using your information for a purpose of which you were unaware then you should notify the Data Protection Officer at once, stating the reasons you believe any of the above to be correct.
The Isle of Man Information Commissioner provides guidance on making subject access requests. Information can be found on their website below.
The main purpose of this website is to provide you with information.
Where you choose to contact us about a query or to complain against a licence holder, we will only use the limited personal information you provide through our contact pages to assist answer your questions.
We do not store your personal information on the website.
If you have any concerns about how we collect or process your data, you can write to our Data Protection Officer using the address above or by email to DPO-GSC@gov.im.
You also have the right to request the Isle of Man’s Information Commissioner (ICO) to undertake an assessment as to whether the processing of your personal data has been carried out in accordance with the provisions of the Isle of Man Data Protection Legislation.
Further information regarding complaints to the ICO can be obtained by calling +44 1624 693260. Information can be found on their website below.
This Privacy Notice may change. We will not reduce your rights under this Privacy Notice without your consent.
If any significant change is made to this Privacy Notice we will provide a prominent notice on this website so that you can review the updated Privacy Notice.
Version |
Date |
Notes |
1.0 |
22 July 2020 |
Creation of the privacy notice |
1.1 |
10 January 2021 |
Alterations to format & content |
1.2 |
18 November 2021 |
Addition of contents table |
2.0 |
29 March 2022 |
Changes to format and layout |
3.0 |
27 July 2023 |
Changes to branding & content changes |
4.0 |
20 February 2024 |
Creation of the privacy notice in document format & changes to content including the separation of certain key information into standalone privacy notices |
4.1 |
1 May 2024 |
Updates to branding and revision of section data related to licensees. |
4.2 |
16 May 2024 |
Insertion of section entitled "Obtaining data from third parties" |
4.3 |
4 July 2024 |
Inclusion of ongoing monitoring of individuals associated with license holders and minor tidying up of superfluous words. |
This section provides specific information on privacy matters for individuals applying for jobs at the GSC.
We collect and processes personal data relating to job applicants in order to carry out its recruitment process. We are committed to being transparent about how we collect and use that data and to meeting its data protection obligations.
The Isle of Man has data protection laws describing what an organisation must do if it processes personal data and what rights you have in respect of your data. Please see the Information Commissioner’s website for more details: https://www.inforights.im/.
We collect the following personal data about you as part of the recruitment process:
The following personal data categories will only be collected and processed by us following successful application and acceptance of job offer:
We may collect this information in a variety of ways. For example, data may be collected from:
We may also collect personal data about you from the following sources:
We will seek information from third parties if a job offer has been made to you and will seek your permission before doing so.
We will only process your personal data if it has a lawful basis for doing so. The main lawful bases that apply to our processing of personal data of job applicants are:
Processing is necessary in order to take steps at your request prior to entering into an employment contract.
As part of the recruitment process, we need to process certain personal data prior to entering into a contract with you. We will not use your data for any purpose other than for recruitment purposes and you are free to withdraw from the process at any time. Should your job application be successful and you subsequently become an employee of the GSC, other lawful bases for processing your personal data will then apply (there is a separate Employee Privacy Notice)
Processing is necessary for compliance with a legal obligation to which the GSC is subject (e.g. for the purposes of recruiting staff).
In some cases, we need to process personal data to ensure that it is complying with its legal obligations. For example, it is a requirement to check a successful applicant’s eligibility to work in the Isle of Man before employment starts.
Processing is necessary for the purposes of the legitimate interests pursued by the GSC or by a third party.
We have a legitimate interest in processing certain personal data about you during the recruitment process and for keeping records of the process.
Processing data from job applicants allows us to manage the recruitment process, assess and confirm a candidate’s suitability for employment and decide on to whom to offer a job. We may also need to process data from job applicants to respond to and defend against legal claims.
Some sensitive personal data (referred to as ‘special category’ data), about job applicants (such as information about health or medical conditions) may be processed by us to carry out our employment law obligations, such as those in relation to prospective employees with disabilities.
The main conditions that apply to the processing of special category data of job applicants by us are as follows:
Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the GSC or of the employee in the field of employment and social security and social protection law.
Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Isle of Man law.
The job applicant has given explicit consent to the processing of their personal data for one or more specified purposes.
Should your job application be successful, we will establish if you have any health or disability issues for which we may need to make suitable adjustments to planned working arrangements. We will do this only after if job offer has been made. Such processing of personal data is necessary for us to carry out its obligations and exercise specific rights in relation to employment.
We will only process health data which is necessary to satisfy its duty of care to job applicants. Any health data will be held securely and will only be shared where necessary to protect the interests of job applicants and with the express permission of the individual concerned.
We processes personal data about job applicants relating to criminal convictions and offences in order to carry out its obligations and exercise specific rights in relation to employment.
If you apply for any of the following roles, you will be required to provide a record of any spent convictions as part of enhanced considerations around your suitability for the role, by virtue of Part 2 (4) of Schedule 1 of Rehabilitation of Offenders Act 2001 (Exceptions) Order 2018:
A member of the Gambling Commission
The Chief Executive Officer
Deputy Chief Executive Officer
Director
Personal data will be stored in different places depending on the circumstances. These may include your application record, in Human Resources (‘HR’) management systems and on other IT systems (including email). The GSC will share your data with other data controllers and data processors where this is necessary for the purposes described in this privacy notice. Please see below for further details.
We take the security of your personal data seriously and it has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed and it not accessed except by relevant employees in the performance of their duties.
If your application for employment is unsuccessful, we will hold your personal data for 12 months after the end of the relevant recruitment process to meet obligations under the Equality Act 2017. At the end of that period your data will be deleted or destroyed.
If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held are set out in our records retention schedule.
Your information may be shared with relevant GSC staff for the purposes of the recruitment exercise. This includes the HR team, interviewers and any other members of staff who are decision makers in the recruitment process.
We will not share your data with third parties unless your application for employment is successful and it makes you an offer of employment. Once you give permission to do so, we will share your data with former employers to obtain references for you.
We will not transfer your personal data to countries outside the Isle of Man without either your consent or an appropriate lawful basis for doing so. Similarly, we do not authorise third parties to transfer your data outside the Isle of Man unless either of those conditions are met.
The GSC is under an obligation to ensure that any personal data transferred outside of the Isle of Man, the European Economic Area (‘EEA’) or a jurisdiction with an adequacy decision for the European Union’s General Data Protection Regulation (‘GDPR’) (such as the United Kingdom) is subject to appropriate safeguards.
As a data subject, you have a number of rights over your personal data and how it is processed:
Right to be informed
This Privacy Notice explains how we collect and process your personal data as an applicant for a job within the GSC.
Right of access
You can access and obtain a copy of your data and certain processing information on request.
Right to rectification
You can request that we change incorrect or incomplete information.
Right to erasure
You can request that we delete your data, for example where the data is no longer necessary for the purposes of processing.
Right to restrict processing
You can request that we restrict processing of your data, for example where there is no longer an appropriate basis for processing.
Right to data portability
You can request personal data you have provided to us in a structured, commonly used and machine readable format where it is processed by automated means. You may also request that we transmit this data to another controller.
Right to object
You can object to the processing of your data by us. This only applies in certain circumstances and will therefore depend on the purpose and lawful basis for processing.
Rights related to automated decision making including profiling
The GSC does not currently carry out any automated decision making.
If you would like to exercise any of these rights, please contact the GSC's Data Protection Officer (see contact details section).
If you believe that the GSC has not complied with your data protection rights, you can discuss your concerns with our Data Protection Officer (see below). If you are not satisfied with a response you receive from us then you can make a complaint to the Isle of Man Information Commissioner, whose details can be found on www.inforights.im. You may have a right to other remedies.
You are under no statutory or contractual obligation to provide data to the GSC during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all.
This Privacy Notice may change. If any significant change is made to this Privacy Policy we will notify you.
Version |
Date issued |
1.0 |
1 May 2024 |
|
|
The Freedom of Information Act 2015 (FoIA) gives Isle of Man residents a legally enforceable right to obtain access to information held by a Public Authority. This is subject to certain exemptions and practical refusal reasons.
You can find out more information on the FoIA including how to make a request to us here: Isle of Man Government - Freedom of Information and you can also use this link to view previous requests and their responses.
We are the controller for the personal data you provide when making a FoI request to the Commission.
We need your personal information (such as your name and contact details) to process and respond to you about your FoI request. In some cases, we may ask for proof of identification, and proof of residency, so that we can comply with the FOIA.
We must have a legal basis (a lawful reason) to process your personal data, which is submitted by you when you make a FoI request. The legal basis for processing your information when you make a request is that it is necessary for us to comply with the law (FOIA), or that it is necessary for us to perform a public task in the public interest. This is set out in Articles 6(1)(c) and (e) of the Schedule to the Data Protection (Application of GDPR) Order 2018 – this legislation is sometimes called 'the Applied GDPR').
FOI requests have to be submitted on a form prescribed by the Chief Executive Officer (Isle of Man Government) in order to be valid and accepted under the FoIA. You can either submit a request using the form online or a paper version, which is available by contacting our Data Protection Officer (see below for contact details).
When you make an FoI request using the Online Services Portal on the Isle of Man Government website, a system called iCasework is used to process your request. The iCasework system is provided by a company called Civica UK Limited. This system stores information such as:
Civica UK Limited act as a Processor on behalf of all the Isle of Man Public Authorities. Civica UK Limited use the information held in the iCasework system for the purpose of providing a system to manage FOI requests and to transfer this information to the relevant public authority. The information you provide to Civica UK Limited will be kept secure and confidential.
Access to your information is limited to authorised staff members within the Commission.
The Department of Home Affairs (DHA), through the Office of Cyber Security & Information Assurance (OCSIA), has been contracted by the Commission to manage system administration on our behalf.
If you are unhappy with the response to your Freedom of Information request
If you are dissatisfied with the response to your request for information, or the way your request was handled, you have the right to request the GSC to undertake a review.
If you are still unhappy following the review, you can complain about your request to the Information Commissioner’s Office. In this case the Commission will need to share information, such as emails we have sent or received from you with them so that the Information Commissioner can investigate the complaint.
Your personal information will be held in iCasework for 12 months after the Commission has closed your request, or if you requested a review of your request, 36 months after the closure of your request.
After this time, the request will remain on the iCasework system, but all your personal information you provided at the time of the request will be deleted.
The Applied GDPR (data protection legislation) provides you as a data subject with some rights to be informed of the processing of your personal data, including the right to access that data and information about the purposes for processing.
This includes a right to correct (rectify) any information the Commission holds, or to restrict it in certain circumstances.
As the Commission is processing your data in order to comply with its legal obligations, certain of the data protection rights do not apply, including the right to have your data deleted (erasure), transferred to another provider, the right to object to the processing, and be informed about automated decision making.
When using the iCasework site or dealing with FOI requests, the Commission does not make automated decisions or profile your data.