If you have any questions about how we process your personal information, you can contact our  Data Protection Officer regarding your rights.

By email: DPO-GSC@gov.im

By telephone:  01624 698322

In writing: 

Data Protection Officer

Gambling Supervision Commission

Ground Floor, St George’s Court,

Myrtle Street, Douglas,

Isle of Man, IM1 1ED

Lawfulness, Fairness and Transparency 

The Island’s Data Protection Law requires that the GSC, as the data controller, provides data subjects with information about his/her personal data processing in a concise, transparent and intelligible manner, which is easily accessible, distinct from other undertakings between the controller and the data subject, using clear and plain language.

Data Minimisation 

The GSC, as the data controller, ensures that only personal data which is necessary for each specific purpose is processed. The Island’s Data Protection Law stipulates that any personal data processed shall be adequate, relevant and limited to what is necessary. This principle shall apply in terms of the amount of personal data collected, the extent of the processing, the period of storage and accessibility.

Accuracy 

The GSC also ensures that personal data in its possession is accurate and, where necessary, kept up- to-date. The GSC takes every reasonable step to comply with this principle.

Periodic exercises are carried out by the GSC to ensure data accuracy and to rectify any inaccurate data in its possession.

Storage Limitation 

The GSC ensures that when the need to keep any of the personal data in its possession ceases to exist, such personal data is deleted or anonymised.

The GSC has a Data Retention Policy which details the way in which the GSC abides by this storage limitation principle. Retention periods are generally determined on the basis of the periods mandated by applicable laws.

Integrity and Confidentiality 

The Island’s Data Protection Law requires personal data to be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The GSC abides by this principle by ensuring that only those employees that are required to process certain personal data are in fact given access to such personal data.

Furthermore, the GSC has information security measures in place to ensure that risks to any of the personal data in its possession are adequately mitigated. The GSC constantly abides by the Isle of Man Government Information Security Policies.

Accountability 

The GSC, as the data controller, is able to demonstrate compliance with the Island’s Data Protection Law and with all the principles for processing personal data that are hereby stipulated.

This data protection policy outlines the organisational measures that are in place at the GSC that aim at ensuring compliance with the Island’s Data Protection Law.

The GSC is the Island’s gambling regulator and is responsible for the licensing and regulation of both online and land-based gambling operations. This includes the casino, amusement and slot machines, betting offices and lotteries.

The GSC’s regulatory objectives are laid out in the Gambling Supervision Act 2010 and are:

• to keep the gambling industry crime free

• to protect the young and those at risk

• to ensure that the services offered by licence holders are fair and that players receive their true winnings

Collecting and processing personal data is essential to enable the GSC exercise its functions appropriately.

We generally collect the following categories of personal data to support our regulatory objectives:

• Identifying information: such as name, date and place of birth, nationality and other unique identifiers such as government-issued identification and national insurance number.

• Contact information: such as telephone number, email address, physical addresses.

• Professional information: such as education and employment history including schools and places of higher education attended, relevant qualifications, details of current and previous employment, and academic and employment references, job role etc.

• Financial information: such as a person’s financial situation, solvency and any past declarations of bankruptcy and any civil convictions.

• Legal information: such as being subject to current or past civil litigation, or being subject to successful investigation by a governmental, professional or other regulatory body.

• Criminal activity: this includes current and spent convictions as well as pending changes relating to criminal offences of individuals who control or manage the affairs of licence holders or those entities applying for a gambling licence.

• Corporate information: this includes personal information in relation to a corporate entity such as information about the directors, shareholders, legal representatives, ultimate beneficial owners and other key positions such as the money laundering reporting officer.

In most cases, the processing of personal data relating to data subjects that have a role within entities licensed by the GSC is either based on the fact that such processing is necessary for complying with a legal obligation to which the GSC is subject or on the fact that such processing is necessary for the performance of a task in the public interest or in exercise of official authority that is vested in the GSC by virtue of Manx or European law.

Processing of Data Collected at Application Stage 

The GSC routinely processes personal data relating to licensees and some of their key personnel, including but not limited to their shareholders, ultimate beneficial owners, and any employees performing key roles as determined by the GSC.

This data, provided to the GSC by the licensee, their appointed representative, or by any relevant third parties or bodies, is routinely provided at application stage, but may also be requested by the GSC at any other stage throughout the licensing relationship, where prescribed by the relevant Manx gambling legislation.

The GSC ensures that the type and extent of any such data processing is necessary for the legally authorised data processing activity, and that it complies with all applicable requirements. Hence, the above-detailed data processing is carried out on the basis of the GSCs legal obligation to regulate gaming services offered to and from the Isle of Man.

Processing of Data Collected or Created at any Stage During the Duration of the Licence

Throughout the duration of a valid licence, the GSC may deem it necessary to collect further data from the licensees, or from third parties or bodies, as it may deem necessary as the regulator responsible for the governance and supervision of all gaming activities to and from the Isle of Man. The GSC will also be gathering data on the basis of a licensee’s activities.

This information is processed for regulatory purposes in order for the GSC to fulfil its legal and regulatory functions.

Processing of Data for the purpose of Audits 

The GSC may forward all data, including any personal data to the approved Auditor appointed by the licensee in accordance with the relevant procedures, in order for the said Auditor to carry out the respective audit. This processing is carried out on the basis of a contractual obligation included within the applicable issued licences. 

Processing of Licensees’ Data for Regulatory and Enforcement Purposes 

The law also empowers the GSC to investigate and assess compliance of licensees and individuals performing key functions with the law, and to take any enforcement action it may deem necessary, in accordance with the law.

Personal data provided to the GSC will be used in the course of conducting investigations into the activities of all authorised and interested persons. The GSC may also publish any regulatory and enforcement action taken, at its discretion.

Sharing Licensee’s Data with Other Entities, Bodies or Authorities 

There may be instances when the GSC will share a licensee’s data, including any personal data, with any third parties fulfilling a service on the GSC’s behalf, and under the express and specific instructions of the GSC. Occasionally, the GSC may also share such data with another body, or Authority where the law requires, or permits it to do so.

This may include any relevant public authorities, local or overseas, gaming regulators, and law enforcement agencies.

The primary purpose for such transfer of data is for the Authority to perform its functions as mandated within the law. Where the law does not require or specifically permit the GSC to transfer any data, the GSC may seek to share this data on the basis of a contractual obligation, where this is applicable.

In all cases, the data shall be shared in a fair, transparent and in an encrypted manner. 

Processing of Player Data provided through Player Complaints

The GSC processes personal data relating to players and that has been supplied by the players themselves when this is necessary to provide assistance to the player with any general or technical query and when this is necessary to mediate any disputes arising between players and licensees.

The GSC ensures that such data is processed exclusively for the purpose for which it has been collected and that it is processed in accordance with the applicable policies and procedures. In every instance the GSC will log the details of the complainant, and the details of any other individuals named by the complainant.

It is likely that the GSC will have to share the complainant’s identity with the licensee in order to be able to resolve the situation. If a complainant would not like to be identified to an operator, it is recommended that they inform us of that wish as soon as possible, and the GSC will try to respect that, however if it is determined that there is an overarching public interest to proceed with the investigation of a complaint and this can only be done by disclosing the complainant’s identity, the GSC may decide to do so.

A complaint may also very well lead to enforcement action taken by the GSC, or by the Police, and in this case, the complainant’s data will be included within this investigation. The GSC processes this data on the basis of the requirements laid down within the law.

Processing of Player Data gathered via Land-Based Inspections 

As part of its regulatory functions aimed at protecting minors and vulnerable persons, the GSC carries out inspections at the premises of land- based operators.

During such inspections, a sample of players is asked to provide their personal information so as to allow the GSC’s inspectors to confirm that the players are not in the database of self-barred persons or below the age required by law to enter into such gaming premises.

The GSC ensures that such personal data relating to players is only used for the purposes for which it is collected; that is to ensure that the land-based gaming operator is abiding by the legal requirements related to the protection of minors and vulnerable persons that are applicable to him. This data is processed on the basis of the GSC’s legal obligation to regulate the provision of gaming services offered to and from the Isle of Man.

Processing of Player Data for the Purposes of any Investigation 

In the event of any suspicion of any specified crimes, including but not limited to money laundering, funding of terrorism, and manipulation of sports competitions, licensees may forward specific player data to the GSC, as well as to other supervisory Authorities.

The GSC is legally bound to process this data in the course of its investigations into these crimes, and may transfer such data to another body, or Authority where the law requires, or permits it to do so. This may include any relevant public authorities, local or overseas, gaming regulators, sports integrity bodies, sports governing bodies, and law enforcement agencies.

The primary purpose for such transfer of data is for the Authority to perform its functions as mandated within the law.

The GSC is designated as a competent authority under Schedule 1 of the GDPR and LED Implementing Regulations 2018. We may share your personal data with other public authorities or law enforcement agencies to help us (or them) to exercise our (or their) functions appropriately, but only where it is lawful and proportionate to do so.

This information may also be relevant to our wider regulatory objectives and statutory functions. We may, for example, derive information from our investigations which help us improve our understanding of the gambling market and assessment of the risks it faces (and potential risks to consumers as a result), and to seek continuous improvements in the market and our regulation of it.

The GSC may also record adverse information obtained during the course of fulfilling its regulatory objectives, in relation to the activities of licence holders and the individuals who control or manage them, in order to safeguard the reputation of the Isle of Man and the international character of gambling, and specifically to preventing gambling from being a source of crime or disorder, associated with crime or disorder, or used to support crime.

We may also act as a prosecutor in relation to certain gambling offences. In this case, the relevant provisions of the Law Enforcement Directive as applied to the Isle of Man, will be engaged.

Personal data obtained for law enforcement purposes is protected under Isle of Man data protection legislation and an individual's rights in relation to such personal data are more limited to reflect the fact that the data subject is subject to law enforcement proceedings.

Data included within Generic Complaints

The GSC may also receive any other general complaints relating to, for example, any gaming activity or gaming advertisement or data protection issue, to the GSC.

In this case, similarly to the above, the relevant department or individual within the GSC will log the complainant’s details and proceed with its investigation.

Such a complaint may also lead to enforcement action taken by the GSC, or by the Police, and in this case, the complainant’s data will be included within this investigation.

Special categories of personal data as defined by the GDPR include:

• personal data revealing racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade union memberships,
• genetic and biometric data processed for the purpose of uniquely identifying a natural person;
• data concerning health;
• data concerning a natural person's sex life or sexual orientation.

The GSC ensures that any processing of special categories of personal data is only carried out when one of the following applies:

• the data subject has given explicit consent to the processing of those personal data for one or more specified purposes;
• processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the GSC or of the data subject in the field of employment and social security and social protection law;
• processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
• processing relates to personal data which are manifestly made public by the data subject;
• processing is necessary for the establishment, exercise or defence of legal claims;
• processing is necessary for reasons of substantial public interest, on the basis of European or Manx law;
• processing is necessary for the assessment of the working capacity of the employee;

In all cases, the GSC is committed to ensure that any processing is proportionate to the aim pursued, respects the essence of the right to data protection and provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

While fulfilling its role as the regulatory body responsible for the governance and supervision of all gaming activities in and from the Isle of Man, the GSC processes certain personal data relating to both licensees, players, and complainants.

The GSC ensures that it only processes personal data if at least one of the following applies:

• The data subject has given consent to the processing of his or her personal data for one or more specific purposes;

• The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

• The processing is necessary for compliance with a legal obligation (i.e. European or Manx law) to which the GSC is subject;

• The processing is necessary in order to protect the vital interests of the data subject or of another natural person;

• The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the GSC by European or Manx law;

• The processing is necessary for the purposes of the legitimate interests pursued by the GSC, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

The GSC is a designated competent authority for the inspection and investigation of criminal matters identified whilst exercising our statutory functions.

Personal data obtained for law enforcement purposes is protected under Isle of Man data protection legislation, however an individual’s rights in relation to such personal data are more limited to reflect the fact that the data subject is subject to law enforcement proceedings.

In relating to the processing of criminal conviction data, the processing would be necessary for reasons of substantial public interest, namely the exercise of a function of a Statutory Board.

Information we obtain for the purposes of exercising our statutory functions is ‘restricted information’, which includes both personal data and non-personal data.

Our legislation imposes a number of restrictions on the disclosure of restricted information in order to protect the people to whom that information relates and safeguard our ability to exercise our functions appropriately.

These restrictions are subject to certain exceptions to recognise situations where we may need to share personal data to enable us to exercise our functions appropriately. However, we sometimes need to share information with other bodies under statutory powers known as ‘information gateways’. Some examples are shown below. More information is set out in the section ‘Who we share your information with’  

• With other bodies acting in the public interest in order to exercise our functions effectively or to assist those bodies in carrying out their functions.

• With other authorities or law enforcement agencies to help us (or them) to exercise our (or their) functions appropriately.

  Sometimes we may be required by another body to disclose personal data under relevant legislation or by court order.

Where that is the case, we will take appropriate steps to ensure:

• that your personal data is subject to a similar level of protection in that jurisdiction that it would be in the Isle of Man.

• that the type and amount of personal data we share is relevant and proportionate to the purpose for which it is being shared.

• that the transfer of data will be in accordance with the law.

Equally, personal data we receive from other bodies will be treated in accordance with this Privacy Notice.

In accordance with our statutory functions and powers, we will share your personal data with third parties to help us (or them) to exercise our (or their) functions appropriately.

We will share with and obtain personal data from third parties such as from complainants, other regulatory bodies, witnesses and experts about persons relevant to a regulatory investigation.

This may include parties such as:

• Relevant public authorities.
• Gambling regulatory authorities.
• Sports betting integrity units.
• Other regulators.
• Technology providers.
• Law enforcement agencies (including overseas).

We may also share with and obtain personal data from third party organisations when carrying out our regulatory objectives. The main ones are listed below.

• Disclosure and Barring Service.
• Isle of Man Treasury Customs & Excise Division.
• Financial Intelligence Unit.
• Financial Services Authority.
• Other international gambling regulators.

Any personal data we share in this way is shared in accordance with relevant legislation and is limited to the type and amount of data we believe necessary in order to achieve our objectives. It may also be necessary to share information for other reasons, such as legislative obligations in relation to:

• The prevention and detection of crime;
• The collection of tax and gaming duty;
• Investigating the proceeds of crime;
• Anti-Money Laundering;
• Countering the financing of terrorism; and
• Proliferation of financing.

In accordance with our statutory functions and powers, we will obtain data from third parties in the following ways (and for the following reasons):

In order to confirm information supplied to us in the licensing application process and/or for the purposes of suitability assessments. This may include data organisations such as LexisNexis Risk Solutions, Accuris Risk Intelligence and LSEG World-Check, as well as public registers, and information from other regulatory bodies. We inform applicants as part of our applications process, that such checks will be made and that the GSC is implicitly authorised to carry out such enquiries as may reasonably be expected to satisfy itself that the statutory requirements are met. To the extent the relevant information requested and/or supplied by these third parties constitutes personal data, this processing will be for the purposes of exercising our official authority and statutory functions as regulator of the gambling industry.

From operators, either at our request or when they are required to report information to us. Obtaining such data from operators is for the purposes of our exercise of our functions, particularly in the context of seeking to achieving our regulatory objects under Isle of Man Gambling legislation. This may include information about problem gamblers, for example, from complainants, members of the public, other regulatory bodies, witnesses and experts about persons who may be relevant to a regulatory investigation

Data provided by licence applicants identifying people relevant to the application who are not the applicants themselves (for example, funders).

In each case, the information is important to the exercise of our regulatory functions; and, we will not generally notify the relevant individuals when such data is received from third parties. In certain circumstances, particularly where there is a possibility of criminal activity being identified and actioned, notification could obviously hinder this process. In other cases, the information is necessary (and failure to provide it could lead, for example, to a refused application or even an offence being committed under any of the Isle of Man gambling legislation) and/or notifying individuals would involve disproportionate effort.

Unless required by a legal obligation applying to the GSC, before transmitting any personal data to a recipient that is external to the GSC and that is situated in a non-EU country:

• The GSC establishes that the relevant non-EU country has agreed to maintain a data protection level equivalent to the General Data Protection Regulation; and

• Authorisation from the Office of the Information Commissioner will be sought and obtained.

If personal data is transferred from the GSC to a company with its registered office outside of the European Economic Area, the company importing the data is obliged to:

• cooperate with any inquiries made by the relevant supervisory authority of the GSC; and

• comply with any observations made by the relevant supervisory authority with regard to the processing of the transmitted data.

• When personal data is transmitted by a third party to the GSC, it must be ensured that such data can be, and is only used for the intended purpose.

The security and confidentiality of your information is very important to us. We will ensure that safeguards are in place to:

• Keep sufficient information to provide services and fulfil our legal responsibilities.

• Keep your records secure and accurate and only permit authorised staff to view your information.

• Only keep information as long as it is required.

• Only the GSC’s personnel are able to view your data.

Your data will only be held on servers that are under the control of the Cabinet Office, Government Technology Services (GTS) and within the jurisdiction of the Isle of Man in line with ISO27001 standard - the ISO standard on information security and hold cyber essentials.

Email communications are stored on the Isle of Man Government email system, Microsoft Outlook and are encrypted and protected in line with government standards. If your email service does not support this encryption, you should be aware that any emails we send or receive may not be protected in transit.

We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

The GSC use Microsoft Dynamics CRM to hold personal and business information relevant to our licence holders. Only certain members of staff will have access to your personal information on CRM and there is security in place to ensure this.

The GSC also use the Isle of Man Government Secure Network – There are strict access controls in place meaning that only those within the GSC can access information stored in folders on our network; in addition, only the teams within the Divisions who are able to access personal information, are those that have a business need to do so.

The administration of CRM and the secure network is undertaken by GTS under a data processing agreement. They should not access your personal data without the GSC’s explicit permission, and only where vital for the administration of the system.

Paper records - We do not routinely store manual records, however, those that are already in storage and a new records we are required to hold any manually are either stored on site or in a third-party storage facility with whom we have a data protection agreements in place.

As part of the GSC's regulatory responsibilities, it may publish consultations on various topics, seeking the views of the industry, companies, parliamentarians, researchers and the public.

Engagement with a public consultation will be at the discretion of the individual. Wherever possible, we will not require personal information from an individual in order to take part in the consultation.

Responses will be considered for the purpose of informing the development of our policy, guidance and other regulatory work in the subject area of the consultation. If contact details are provided, we may use these to monitor responses or contact you in relation to the consultation.

We may publish a summary of the consultation responses, but these will not contain any personal data. If we decide to publish your name (and on whose behalf you have responded) to indicate that you have responded to this consultation, we will only ever do this with your consent.

It is in our legitimate interests to seek the views of licence holders and the wider public to help form our views. Individuals taking part in a consultation do so of their own free will and have the ability to provide their views anonymously or to withdraw their response at any stage. Information on how to do this can be found on the Consultation Hub website or by contacting the GSC’s Data Protection Officer at DPO-GSC@gov.im 

The Cabinet Office of the Isle of Man Government run the Consultation Hub. More information on the use of the Consultation Hub, can be found on the Cabinet Office’s privacy notice.

We will only keep your information for the minimum time necessary to perform our regulatory functions. Our general approach is to retain personal information relevant to the operation of a licence holder for a period of six years following the date the relationship with the GSC formally ended. Other personal data collected to during the course of our regulatory activities may be deleted sooner, once the need for processing that data has concluded.

This may be to:

• Comply with our statutory function and legal obligations.
• Inform our regulatory work in accordance with these objectives - including investigations and enforcement.
• Conduct research/ collate statistics for publication and/or for the purposes of formulation of policy.

Personal information relevant to the checking of the fitness and propriety of a person to be approved by the GSC will be retained for the minimum period necessary in making that determination.

The need to retain information for historical or archiving purposes by the Public Record Office under the Public Records Act 1999. Click here for more information.

Articles 12 to 22 of the Data Protection (Application of GDPR) Order 2018 set out the rights you have as a data subject.

These rights are subject to the restrictions set out in Article 23.

Your right to be informed

This Privacy Notice explains how we collect and process your personal data.

Your right of access

You have the right to access and obtain a copy of your data and certain processing information on request.

Your right to rectification

You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure

You have the right to ask us to delete your data in certain circumstances. For example:

• Where the data is no longer needed for the purposes it was collected.
• You object to processing and there are no overriding legitimate grounds to continue.
• Where the data has been unlawfully processed or where the data has to be erased for compliance with a legal obligation.

Personal data will be retained under our legal obligation to carry out our statutory functions, for a period as defined within our Records Retention Schedule.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your personal information in certain circumstances. For example:

• The accuracy of the data is contested – for a period necessary to allow us to verify its accuracy;
• The processing is unlawful and you request restriction instead of erasure; or
• We no longer need the data for the purposes it was collected, but you need it in connection with a legal claim.

The right to restrict processing is subject to our legal obligation to carry out our statutory functions.

Your right to object to processing

You have the right to object to the processing of your personal information in certain circumstances. In this case, we will stop processing unless we can demonstrate compelling legitimate grounds for continuing the processing, which override your interests.

This only applies in certain circumstances and will therefore depend on the purpose and lawful basis for processing. As most of our processing is conducted in order for us to comply with a legal obligation and/or perform a public task, this right will not be available in most circumstances.

Your rights related to automated decision making including profiling

We do not currently carry out any automated decision making.

Your right to data portability

To receive personal data you have provided to us in a structured, commonly used and machine readable format where it is processed by automated means. You may also request that we transmit this data to another controller. The right to data portability is not applicable for personal data processed where the lawful basis for this processing is necessary for us to perform a task in the public interest or for our official functions.

Exercising your rights

If you would like to exercise any of these rights, please contact our Data Protection Officer.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

You have the right to ask for a copy of any personal information that we may hold about you by making a Subject Access Request

Such requests will be dealt with as a subject access request under Data Protection legislation.  We are obliged to provide within 30 days unless an exemption applies unless your request is particularly complex, in which case we are able to extend the response period by a further two months.  Where this is the case, we will inform you of our intention to extend the deadline and our reasons for doing so.

To assist us locate the information you need, we ask that you complete the Subject Access Request Form and provide proof of identity and residency. These should be emailed to the DPO-GSC@gov.im.

There may be some circumstances, where an exemption is applicable under GDPR, when we will not be able to provide you with the information that you have requested.  We will not be able to provide any information which might identify another individual (third party information), unless that person agrees.

If after you have received the information you have requested, you believe that the information is inaccurate or out of date; or that we should no longer be holding that information or we are using your information for a purpose of which you were unaware then you should notify the Data Protection Officer at once, stating the reasons you believe any of the above to be correct.

The Isle of Man Information Commissioner provides guidance on making subject access requests. Information can be found on their website below. 

The main purpose of this website is to provide you with information.

Where you choose to contact us about a query or to complain against a licence holder, we will only use the limited personal information you provide through our contact pages to assist answer your questions.

We do not store your personal information on the website. 

If you have any concerns about how we collect or process your data, you can write to our Data Protection Officer using the address above or by email to DPO-GSC@gov.im.

You also have the right to request the Isle of Man’s Information Commissioner (ICO) to undertake an assessment as to whether the processing of your personal data has been carried out in accordance with the provisions of the Isle of Man Data Protection Legislation.

Further information regarding complaints to the ICO can be obtained by calling +44 1624 693260. Information can be found on their website below. 

This Privacy Notice may change. We will not reduce your rights under this Privacy Notice without your consent.

If any significant change is made to this Privacy Notice we will provide a prominent notice on this website so that you can review the updated Privacy Notice. 

This site uses Cookies to create the most secure and effective website possible and to improve the visitor experience. By continuing to use this site, you agree to the use of Cookies.

When you visit www.isleofmangsc.com  website we collect standard internet log information and details of visitor behaviour patterns.

We do this to find out things such as the number of visitors to the various parts of the site. We collect this information in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our site. We will not associate any data gathered from this site with any personally identifying information from any source.

These may include Cookies to record that we have already presented you with a piece of information which you would find intrusive and annoying if we continually re-presented.

These may include notifications about the availability of new features or applications, and warning notices. Cookies to retain settings or choices that you have made earlier during your visit to our site, so that we can reapply those choices when you revisit the relevant pages.

These save you effort in reselecting the settings or making the choice, improving your experience of the website. For example, pre-populating complex search criteria screens with previous values, or collating selections you have made throughout your visit.Cookies to support specific elements of the site

manage and delete them, visit www.aboutcookies.org. Please be aware, however, that without cookies you may not be able to use the full functionality of the Site.

What is a Cookie?

Cookies are small text files that are placed on your computer or mobile phone by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site and these pieces of information are used to improve services for you through:

• enabling a service to recognise your device so you don't have to give the same information several times during one task

• recognising that you may already have given a username and password so you don't need to do it for every web page requested

• measuring how many people are using services, so they can be made easier to use and there's enough capacity to ensure they are fast

• analysing anonymised data to help us understand how people interact with our services so we can make them better.

Cookies set by the GSC

CloudFlare

• _cfduid

Used to assist in the protection of Isle of Man Goverment websites against malacious attacks. Does not identify a unique user or store any personally identifiable information. See Cloudflare for more information.

Google Analytics

• _ga
• _gat

Used to collect anonymous information about how visitors use the site.  See Google Analytics for more information.

Cookies set by other websites through this site

We want to provide interesting and engaging content on our website. We sometimes embed photos and video content from other websites.  As a result, when you visit a page with content embedded from, for example, YouTube, you may be presented with cookies from these websites. We do not control the dissemination of these cookies. You should check the relevant third party website for more information about these.

Most web browsers allow some control of most cookies through the browser settings. To find out more, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org or www.allaboutcookies.org. Please be aware, however, that without cookies you may not be able to use the full functionality of the Site.

Version Control

This Privacy Notice was last updated on 21 February 2024.

Overview

This section provides specific information on privacy matters for individuals applying for jobs at the GSC. 

Why does the GSC collect personal data from job applicants?

We collect and processes personal data relating to job applicants in order to carry out its recruitment process. We are committed to being transparent about how we collect and use that data and to meeting its data protection obligations.

The Isle of Man has data protection laws describing what an organisation must do if it processes personal data and what rights you have in respect of your data. Please see the Information Commissioner’s website for more details: https://www.inforights.im/.

What personal data does the GSC collect about you?

We collect the following personal data about you as part of the recruitment process:

• Full name, previous name(s)
• Contact details including email address, telephone numbers, home address
• Details of your academic and professional qualifications, skills, experience and employment history, including start and end dates with previous employers
• Information about your current employment, remuneration and benefits
• Information you supply about how you meet the criteria for the role
• Information about your criminal record (including details of any spent convictions if you are applying for the roles of a member of the Commission, Chief Executive Officer, Deputy Chief Executive Officer or Director)
• Information on disciplinary action, disqualifications, suspensions, civil litigation, bankruptcy or disqualifications
• Information about your entitlement to work in the Isle of Man
• Details of your employment, academic or personal references and contact details for your referees.

The following personal data categories will only be collected and processed by us following successful application and acceptance of job offer:

• Gender, marital status, date of birth
• Previous address(es), nationality, your passport and other identity documents

We may collect this information in a variety of ways. For example, data may be collected from:

• application forms;
• CVs;
• your passport; 
• other identity documents such as your driving licence;
• correspondence with you; or
• through interviews.

We may also collect personal data about you from the following sources:  

• references supplied by former employers,
• information from providers of employment background checks,
• information from criminal record checks
• right to work checks, including work permit and immigration checks.

We will seek information from third parties if a job offer has been made to you and will seek your permission before doing so.

Why does the GSC process personal data about you?

We will only process your personal data if it has a lawful basis for doing so. The main lawful bases that apply to our processing of personal data of job applicants are:

Processing is necessary in order to take steps at your request prior to entering into an employment contract.

As part of the recruitment process, we need to process certain personal data prior to entering into a contract with you. We will not use your data for any purpose other than for recruitment purposes and you are free to withdraw from the process at any time. Should your job application be successful and you subsequently become an employee of the GSC, other lawful bases for processing your personal data will then apply (there is a separate Employee Privacy Notice)

Processing is necessary for compliance with a legal obligation to which the GSC is subject (e.g. for the purposes of recruiting staff).

In some cases, we need to process personal data to ensure that it is complying with its legal obligations. For example, it is a requirement to check a successful applicant’s eligibility to work in the Isle of Man before employment starts.

Processing is necessary for the purposes of the legitimate interests pursued by the GSC or by a third party.

We have a legitimate interest in processing certain personal data about you during the recruitment process and for keeping records of the process.

Processing data from job applicants allows us to manage the recruitment process, assess and confirm a candidate’s suitability for employment and decide on to whom to offer a job. We may also need to process data from job applicants to respond to and defend against legal claims.

Does the GSC process any sensitive personal data about you?

Some sensitive personal data (referred to as ‘special category’ data), about job applicants (such as information about health or medical conditions) may be processed by us to carry out our employment law obligations, such as those in relation to prospective employees with disabilities.

The main conditions that apply to the processing of special category data of job applicants by us are as follows:

• Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the GSC or of the employee in the field of employment and social security and social protection law.

• Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Isle of Man law.

• The job applicant has given explicit consent to the processing of their personal data for one or more specified purposes.

Should your job application be successful, we will establish if you have any health or disability issues for which we may need to make suitable adjustments to planned working arrangements. We will do this only after if job offer has been made. Such processing of personal data is necessary for us to carry out its obligations and exercise specific rights in relation to employment.

We will only process health data which is necessary to satisfy its duty of care to job applicants. Any health data will be held securely and will only be shared where necessary to protect the interests of job applicants and with the express permission of the individual concerned.

We processes personal data about job applicants relating to criminal convictions and offences in order to carry out its obligations and exercise specific rights in relation to employment.

If you apply for any of the following roles, you will be required to provide a record of any spent convictions as part of enhanced considerations around your suitability for the role, by virtue of Part 2 (4) of Schedule 1 of Rehabilitation of Offenders Act 2001 (Exceptions) Order 2018:

• A member of the Gambling Commission

• The Chief Executive Officer

• Deputy Chief Executive Officer

• Director

How does the GSC store and protect your personal data?

Personal data will be stored in different places depending on the circumstances. These may include your application record, in Human Resources (‘HR’) management systems and on other IT systems (including email). The GSC will share your data with other data controllers and data processors where this is necessary for the purposes described in this privacy notice. Please see below for further details.

We take the security of your personal data seriously and it has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed and it not accessed except by relevant employees in the performance of their duties.

How long does the GSC keep your personal data for?

If your application for employment is unsuccessful, we will hold your personal data for 12 months after the end of the relevant recruitment process to meet obligations under the Equality Act 2017. At the end of that period your data will be deleted or destroyed.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held are set out in our records retention schedule.

Does the GSC share your personal data with other parties?

Your information may be shared with relevant GSC staff for the purposes of the recruitment exercise. This includes the HR team, interviewers and any other members of staff who are decision makers in the recruitment process.

We will not share your data with third parties unless your application for employment is successful and it makes you an offer of employment. Once you give permission to do so, we will share your data with former employers to obtain references for you. 

We will not transfer your personal data to countries outside the Isle of Man without either your consent or an appropriate lawful basis for doing so. Similarly, we do not authorise third parties to transfer your data outside the Isle of Man unless either of those conditions are met.

The GSC is under an obligation to ensure that any personal data transferred outside of the Isle of Man, the European Economic Area (‘EEA’) or a jurisdiction with an adequacy decision for the European Union’s General Data Protection Regulation (‘GDPR’) (such as the United Kingdom) is subject to appropriate safeguards.

What rights do you have over your personal data?

 As a data subject, you have a number of rights over your personal data and how it is processed:

Right to be informed

This Privacy Notice explains how we collect and process your personal data as an applicant for a job within the GSC.

Right of access

You can access and obtain a copy of your data and certain processing information on request.

Right to rectification

You can request that we change incorrect or incomplete information.

Right to erasure

You can request that we delete your data, for example where the data is no longer necessary for the purposes of processing.

Right to restrict processing

You can request that we restrict processing of your data, for example where there is no longer an appropriate basis for processing.

Right to data portability

You can request personal data you have provided to us in a structured, commonly used and machine readable format where it is processed by automated means. You may also request that we transmit this data to another controller.

Right to object

You can object to the processing of your data by us. This only applies in certain circumstances and will therefore depend on the purpose and lawful basis for processing.

Rights related to automated decision making including profiling

The GSC does not currently carry out any automated decision making.

If you would like to exercise any of these rights, please contact the GSC's Data Protection Officer (see contact details section).

If you believe that the GSC has not complied with your data protection rights, you can discuss your concerns with our Data Protection Officer (see below). If you are not satisfied with a response you receive from us then you can make a complaint to the Isle of Man Information Commissioner, whose details can be found on www.inforights.im. You may have a right to other remedies.

What happens if you do not provide personal data?

You are under no statutory or contractual obligation to provide data to the GSC during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all.

Changes to this Privacy Notice

This Privacy Notice may change. If any significant change is made to this Privacy Policy we will notify you.

Isle of Man Freedom of Information Act 2015 ('FOIA')

The Freedom of Information Act 2015 (FoIA) gives Isle of Man residents a legally enforceable right to obtain access to information held by a Public Authority. This is subject to certain exemptions and practical refusal reasons.

You can find out more information on the FoIA including how to make a request to us here: Isle of Man Government - Freedom of Information and you can also use this link to view previous requests and their responses.

We are the controller for the personal data you provide when making a FoI request to the Commission.  

Legal basis for processing your information

We need your personal information (such as your name and contact details) to process and respond to you about your FoI request. In some cases, we may ask for proof of identification, and proof of residency, so that we can comply with the FOIA.

We must have a legal basis (a lawful reason) to process your personal data, which is submitted by you when you make a FoI request. The legal basis for processing your information when you make a request is that it is necessary for us to comply with the law (FOIA), or that it is necessary for us to perform a public task in the public interest. This is set out in Articles 6(1)(c) and (e) of the Schedule to the Data Protection (Application of GDPR) Order 2018 – this legislation is sometimes called 'the Applied GDPR').

Sharing information

FOI requests have to be submitted on a form prescribed by the Chief Executive Officer (Isle of Man Government) in order to be valid and accepted under the FoIA. You can either submit a request using the form online or a paper version, which is available by contacting our Data Protection Officer (see below for contact details).

When you make an FoI request using the Online Services Portal on the Isle of Man Government website, a system called iCasework is used to process your request. The iCasework system is provided by a company called Civica UK Limited. This system stores information such as: 

• Your name
• Your address
• Your telephone and email address
• Your company name, if you are requesting information on behalf of an organisation
• Your request
• If requested proof of residency from you 

Civica UK Limited act as a Processor on behalf of all the Isle of Man Public Authorities. Civica UK Limited use the information held in the iCasework system for the purpose of providing a system to manage FOI requests and to transfer this information to the relevant public authority. The information you provide to Civica UK Limited will be kept secure and confidential. 

Access to your information is limited to authorised staff members within the Commission.

The Department of Home Affairs (DHA), through the Office of Cyber Security & Information Assurance (OCSIA), has been contracted by the Commission to manage system administration on our behalf. 

If you are unhappy with the response to your Freedom of Information request

If you are dissatisfied with the response to your request for information, or the way your request was handled, you have the right to request the GSC  to undertake a review.

If you are still unhappy following the review, you can complain about your request to the Information Commissioner’s Office. In this case the Commission will need to share information, such as emails we have sent or received from you with them so that the Information Commissioner can investigate the complaint. 

Storing your information

Your personal information will be held in iCasework for 12 months after the Commission has closed your request, or if you requested a review of your request, 36 months after the closure of your request.

After this time, the request will remain on the iCasework system, but all your personal information you provided at the time of the request will be deleted. 

Your rights

The Applied GDPR (data protection legislation) provides you as a data subject with some rights to be informed of the processing of your personal data, including the right to access that data and information about the purposes for processing. 

This includes a right to correct (rectify) any information the Commission holds, or to restrict it in certain circumstances. 

As the Commission is processing your data in order to comply with its legal obligations, certain of the data protection rights do not apply, including the right to have your data deleted (erasure), transferred to another provider, the right to object to the processing, and be informed about automated decision making. 

When using the iCasework site or dealing with FOI requests, the Commission does not make automated decisions or profile your data.