If you have a question about your gambling, or the gambling of someone close to you, our FAQs from gambling consumers during lockdown may provide valuable information.
Try the new Gambling Commission website we're working on, and give us feedback.
Skip to main content

Privacy and cookies

Privacy statement

This website is operated by the Gambling Commission whose principal place of business is Victoria Square House, Victoria Square, Birmingham B2 4BP. We are an independent non-departmental public body sponsored by the Department for Digital, Culture, Media and Sport, a department of the United Kingdom government.

The Gambling Commission was set up under the Gambling Act 2005 (the Gambling Act) to regulate commercial gambling in Great Britain in partnership with licensing authorities. We also regulate the National Lottery under the National Lottery etc. Act 1993.

In order to carry out our regulatory functions and meet our legal responsibilities, we need to collect certain personal data and, when we do, we are a ‘data controller’ of that information for the purposes of the General Data Protection Regulation (the GDPR) (which applies across the European Union including the United Kingdom), the Data Protection Act 2018 (the Data Protection Act) which supplements GDPR, extends its application in the UK, and implements the Law Enforcement Directive (which relates to processing personal data for law enforcement purposes) (the LED) in the UK.

Show allShow less

What is personal data and special category data?

Under the GDPR, personal data is defined as any information relating to an identified or identifiable natural person. It can include obvious identifiers like your name but also identification numbers, online identifiers and/or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Special category data includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation.

What personal data do we collect, for what purpose and what is the basis for doing so?

We collect and process personal data based on one or more of the following legal bases:

  • Consent: the individual has given clear consent for us to process their personal data for a specific purpose

  • Contract: the processing is necessary for a contract we have with the individual or their organisation, or because they have asked us to take specific steps before entering into a contract

  • Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations)

  • Vital interests: the processing is necessary to protect someone’s life

  • Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.

We collect and process special categories of personal data based on one or more of the legal bases set out above and where one of the separate conditions for processing applies, the most likely being: processing is necessary for reasons of substantial public interest, on the basis of UK law and is proportionate to the aim pursued, or processing is necessary for the establishment, exercise or defence of legal claims.

As a regulatory body, most of the personal data that we collect and process is data relating to our regulatory functions and responsibilities. Therefore, for the most part (and for the reasons set out below), when we are processing data it will be on the basis that it is necessary for the performance of a task carried out in the public interest and/or in exercising our statutory functions. We have sought to explain how this works below and also what other lawful bases apply to our processing of data in the relevant categories.

We will also be acting as a prosecutor in relation to certain gambling offences, and processing data for this purpose. The effect of this is picked up below.

Licence applicants and National Lottery vetting

When we receive an application for a licence for a business, for a personal licence via application online, or carry out vetting processes for 'vetted roles' in relation to the National Lottery, we create or update the information we hold about that person on our systems. We use that data to decide whether to approve the application and issue the licence.

The provision of data for the purposes of licence applications and vetting processes is required by law. Failure to provide the information requested constitutes an offence under the Gambling Act and will lead to the application being refused. The provision of data for the purpose of vetting procedures is required by law under the National Lottery etc. Act 1993. If we find that any individual does not meet the necessary standards required by law, they may not be employed in a vetted role. It is also vital, of course, that care is taken to ensure that the information supplied is accurate (including in the period between the submission of the application and the date of the decision). If this is not done, there is a possibility that the licence subsequently issued may be reviewed and potentially revoked.

We are also required to conduct ‘suitability assessments’ as part of the licensing process. For this purpose, we will obtain personal data relating to applicants from third parties such as Disclosure and Barring Service/Disclosure Scotland, CreditSafe and Experian. Obtaining data from third parties is explained further below.

The licensing objectives under the Gambling Act are:

  • preventing gambling from being a source of crime and disorder, being associated with crime or disorder or being used to support crime
  • ensuring that gambling is conducted in a fair and open way
  • protecting children and other vulnerable people from being harmed or exploited by gambling.

Therefore, our collection of personal data for licensing purposes may also be used to:
  • comply with our statutory function and legal obligations
  • inform our regulatory work in accordance with these objectives – including investigations and enforcement
  • assist other regulators or law enforcement agencies
  • check our level of service and to help us improve things where we can
  • conduct research/ collate statistics for publication and/or for the purposes of formulation of policy. Although, in this case, the persons’ data will not identify individuals (in other words, it will be anonymised).

People who already hold a licence - operating/personal

We operate an eServices portal for existing licensees which allows them/ their representatives to:

  • (operators) apply for additional licences, add/ remove/change licence activities, submit key events and Licence conditions and codes of practice (LCCP) notifications, submit regulatory returns or audits, and pay invoices using a credit or debit card
  • (personal licensees) download a copy of their licence, submit key events and LCCP notifications, and submit Personal Licence Maintenance forms (which are required to ensure information is up to date – every five years).

This information is held for the regulatory purposes set out in the Gambling Act. This data may also be used for the additional purposes directly above for the same reasons.
We publish the names of all companies and individuals who hold, or have applied for, operating licences in Great Britain. We also publish the names of companies or individuals whose licences have lapsed, been revoked, forfeited, expired, suspended or surrendered in the last three years. If a licensee is, or has been, subject to a regulatory sanction they are also listed on the regulatory action area of our website. We do this in order to comply with our legal obligations under the Gambling Act.

People we are investigating/regulatory action

The Gambling Act requires that we undertake activities for the purposes of assessing compliance with the Act/ whether any offence has been committed under the Act/and to institute criminal proceedings.

We will use personal data in the course of conducting investigations (and deciding outcomes) into the activities of personal and operator licensees.

This information may also be relevant to our wider regulatory objectives and statutory functions. We may, for example, derive information from our investigations which help us improve our understanding of the gambling market and assessment of the risks it faces (and potential risks to consumers as a result), and to seek continuous improvements in the market and our regulation of it.

As mentioned above, we will also publish regulatory action we take following our investigations.

We will also be acting as a prosecutor in relation to certain gambling offences – where the relevant provisions of the LED (as implemented by the Data Protection Act) will be engaged.

Complainant data

Our complaints page lists the sorts of complaints we may see in the course of our work (and explains how you might raise a complaint) – these include:

  • 1.Consumer complaints about a gambling business (save for that mentioned below, these will generally be made to the business itself first or, if necessary, by an Alternative Dispute Resolution (ADR) process)
  • 2.Complaints about ADR providers
  • 3.Whistleblowing about the way a gambling business is run
  • 4.Complaints about the National Lottery
  • 5.Complaints about the Gambling Commission.

When we receive any such complaint, we will create a complaint file which will identify the complainant (and include their contact details) and others who may be named in the complaint.

We will ordinarily have to share the complainant’s identity with the operator or person complained about. It may be necessary for the person complained about to access any relevant information they hold on a complainant (eg relevant customer account details, history) to help us resolve the complaint. The more complete a picture that we have of the issues complained about, the better prospect we will have in dealing with it effectively. If a complainant tells us that they do not want to be identified to the operator/ person complained about, we will try to respect that. But where there is an overarching public interest to progress a complaint made, which cannot be done without disclosing the complainant’s identity, we may decide to do so.

A complaint may also lead to regulatory action as set out above; as such, the relevant data may also form part of the investigation file.

We may publish research or statistics regarding the complaints we deal with in a relevant period; but we will not do this in a way which identifies individual complainants.

Gambling Commission Consultations

As part of the Gambling Commission’s regulatory responsibilities, it will publish consultations on various topics, seeking the views of the industry, companies, parliamentarians, researchers and the public. 

Purpose and legal basis

We will process your personal data for the purpose of informing the development of our policy, guidance and other regulatory work in the subject area of the consultation. If contact details are provided, we may use these to monitor responses or contact you in relation to the consultation.

We may publish a summary of the consultation responses, but these will not contain any personal data. We may decide to publish your name (and on whose behalf you have responded) to indicate that you have responded to this consultation, we will only ever do this with your consent.

The lawful basis we are relying on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary for the performance of our public tasks in our capacity as a regulator.

What are your rights?

You have the right to request access to the personal data that we hold about you. You have the right to ask for your personal data to be rectified or erased, or to restrict the way in which we process it. You have the right to object to the processing of your personal data. If you are unhappy with the way in which we have processed your personal data then you have the right to complain to a supervisory authority.

If you wish to exercise any of these rights, please email GDPR@gamblingcommission.gov.uk stating your name, email address and the consultation(s) to which you responded.

Do we use any data processors?

If we are using a third party as part of a consultation you will be informed of this and provided with any additional information that may be required as per data protection requirements.

What are cookies?

When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your device, for example, computer or mobile phone. These include small files known as cookies. They cannot be used to identify you personally.
These pieces of information are used to improve services for you through, for example:

    • enabling a service to recognise your device so you don’t have to give the same information several times during one task
    • recognising that you may already have given a username and password so you don’t need to do it for every web page requested
    • measuring how many people are using services, so they can be made easier to use and there’s enough capacity to ensure they are fast.

    You can manage these small files yourself and learn more about them through cookies – what they are and how to manage them.

Our use of cookies

Usage analysis: We use Google Analytics to create anonymous cookies and log the IP addresses of visitors. We do not collect any personal information in the process.We collect this data to assess which parts of the website are the most popular and identify trends in usage, helping to guide the development of new web pages. See cookies we use for this analysis

How we use information website visitors provide us with

We do not use cookies for collecting user information. Except as otherwise stated, we may use information visitors provide via this website to communicate information to them (if they have requested it) and for internal marketing and research purposes. We do not disclose any information visitors provide via the website to any third parties or other government departments except where:

    • such disclosures are necessary to fulfil our service obligations to them, in which case we will require such third parties to agree to treat it in accordance with this Privacy Policy
    • required by applicable laws, court orders or government regulations (for example to prevent or detect crime)
    • or they give us permission to do so.

We take reasonable precautions to prevent the loss, misuse, or alteration of data that visitors give us. If you would like us to correct or update any information, or if you would like information deleted from our records, then please contact us on DPO@gamblingcommission.gov.uk, or write to:

Data Protection Officer

Gambling Commission

Victoria Square House

Victoria Square


B2 4BP


User research

Purpose for processing

The purpose for collecting your personal data is so that you can register for our user research programme. We may then contact you about upcoming sessions within the user research programme, which you may want to get involved in.

Legal basis for processing

The legal basis we rely on for processing your personal data is consent under article 6(1)(a) of the General Data Protection Regulation (GDPR).  

We have a legal obligation to make our services accessible, in order to do this, we will also collect information from you about your accessibility requirements. The legal basis we rely on for processing this information is consent under Article 9(2)(a) of the GDPR.

What we need

We need the following pieces of data:

  • Your name

  • Your email address

  • Your telephone number

  • What country you are located in

  • An indication of how you would best describe yourself in relation to the gambling industry

  • Whether you hold a gambling licence or not

  • How you would like to take part in user research

  • How you found out about the user research programme

  • Whether you use any specialist equipment when using the internet

  • How you would score yourself on a scale of expertise in terms of technology

Why we need it

We will use your name, email address and telephone number to contact you about upcoming user research sessions.

We will use the remaining data to identify individuals that belong to specific user groups, who we would like to participate in an upcoming user research session.

What we do with it

We only use your personal data as part of the user research programme. You will receive a confirmation email once you have registered for the user research programme.

We may then send you an email about upcoming user research sessions that you may be interested in. You will be provided with some background information of what to expect and a consent form to sign. 

You have no obligation to participate in a user research session. If you do want to participate, you can opt out or stop the user research session at any time.

You can opt out of the user research programme at any time, which will mean you won’t get any future correspondence about upcoming user research sessions.

Once we receive your consent, we will allocate a participant number against your personal data. This participant number will then be used to record your feedback within a separate document. Your personal data will not be shared with anyone else.

You can opt out of the user research programme at any time, which will mean you won’t get any future correspondence about upcoming user research sessions. To opt out emailing us at userresearch@gamblingcommission.gov.uk and we will remove your details.

How long we keep it

We will keep your personal data within the user research programme for 3 years. Before this time is due to lapse, we will contact you to see if you would like to still be registered.

Once you have consented for a user research session, we will retain your personal data against a participant number for 12 months. The feedback provided against the participant number will be retained until it is no longer relevant or necessary.

What are your rights?

If you want to know more about your rights, please refer to the Your rights section within this privacy statement.

Do we use data processors?

Yes - we use GOV.UK Notify to send out emails on our behalf.  For more information, please see GOV.UK Notify’s privacy notice. You will be informed of any other processor/s used as part of the initiative you take part in.

Links to other websites

This privacy statement only covers the Gambling Commission website at  www.gamblingcommission.gov.uk
This statement does not cover links within this statement to other websites.

How long we keep the information

We operate under a detailed data retention policy which sets out how long certain categories of data will be retained and/or how often certain data will be reviewed for the purpose of assessing whether it needs to be retained. We have four main retention periods:

  • 25 years: for data relating to research
  • 10 years for data associated with contracts that we have entered into and also for enforcement activities
  • 5 years for data relating to Regulation of Investigatory Powers Act 2000, intelligence activities and reports, licensee and operator documents (including correspondence, reports, reviews and assessments)
  • 3 years for data relating to call centre records and complaints.


Keeping your personal information secure

We have a duty to, amongst other things:

    • keep sufficient information to provide services and fulfil our legal responsibilities
    • keep your records secure and accurate
    • only keep information as long as it is required (per the above).

We will use technical and organisational measures in accordance with good industry practice to safeguard your information. For example, we follow best practice in line with the ISO:27001 – the ISO standard on information security and hold cyber essentials.

Obtaining data from third parties

In accordance with our statutory functions and powers, we will obtain data from third parties in the following ways (and for the following reasons):

    • in order to confirm information supplied to us in the licensing application process and/or for the purposes of suitability assessments. This may include data organisations such as CreditSafe and Experian, as well as public registers, and information from other regulatory bodies. As part of our applications process, we include an authorisation for release of information – which confirms (for the purposes of the third parties we approach) applicants’ agreement to the supply of information from governmental and public bodies, financial institutions etc. To the extent the relevant information requested/supplied by these third parties constitutes personal data, we do not rely on consent as the lawful basis for processing the same. As explained above, this processing will be for the purposes of exercising our official authority and statutory functions as regulator of the gambling industry.
    • from operators at our request for the purposes of our exercise of our functions, particularly in the context of seeking to achieving our regulatory objects under the Gambling Act. This may include information about problem gamblers, for example.
    • from complainants, other regulatory bodies, witnesses and experts about persons relevant to a regulatory investigation
    • data provided by licence applicants identifying people relevant to the application who are not the applicants themselves (e.g. funders).

    In each case, the information is important to the exercise of our regulatory functions; and, we will not generally notify the relevant individuals when such data is received from third parties. In certain circumstances, particularly where there is a possibility of criminal activity being identified and actioned, notification could obviously hinder this process. In other cases, the information is necessary (and failure to provide it could lead, for example, to a refused application or even an offence being committed under the Gambling Act) and/or notifying individuals would involve disproportionate effort.


Who we share personal data with

Your data may be shared with third parties who fulfil a service on our behalf, and under our express instructions. It may also be shared with other bodies where it is necessary to do so and where we are legally required or permitted to do so. This may include third party payment processors, relevant public authorities, gambling operators, sports governing bodies, other regulators and law enforcement agencies (including overseas). We also share data with third parties for the purpose of vetting applicants. Such third parties include Camelot, Experian, Disclosure and Barring Service and/or Disclosure Scotland, Serious Fraud Office, Her Majesty's Revenue and Customs and the Financial Conduct Authority. Finally, in limited circumstances we share personal data with market research organisations for research purposes.Sharing data is primarily for the purpose of performing our regulatory functions such as assessing individuals’ suitability to be licensed, but it may also be necessary to share information for other reasons, such as the prevention and detection of crime or the collection of tax and gaming duty.

Your rights

Depending upon the information we hold about you, and the reasons for our holding it, you have various rights under the GDPR/ the Data Protection Act – as set out below. If you have any questions about this, please contact our Data Protection Officer at the address stated above.

The right to rectification

You are entitled to have relevant records/ files amended if the personal data we hold is inaccurate or incomplete. This can be done by certain individuals via their eServices account.

The right to erasure

In limited circumstances you will have the right (where the data is no longer needed for the purposes it was collected, where you have withdrawn consent and there is no other lawful basis on which we can continue to process it, you object to processing and there are no overriding legitimate grounds to continue, where the data has been unlawfully processed or where the data has to be erased for compliance with a legal obligation) to request that we erase the information we hold about you.
As most of our processing is conducted in order for us to comply with a legal obligation and/or perform a public task, this right will not be available in most circumstances.

The right to restrict processing

You have the right to seek to restrict processing of your data in the following circumstances:

  • the accuracy of the data is contested – for a period necessary to allow us to verify its accuracy
  • the processing is unlawful and you request restriction instead of erasure, or
  • we no longer need the data for the purposes it was collected, but you need it in connection with a legal claim.


The right to object processing

You have the right to object to our processing of data which is done on our predominant ground for processing – the exercise of our statutory/ regulatory functions. In this case, we will stop processing unless we can demonstrate compelling legitimate grounds for continuing the processing which override your interests.

Law enforcement processing

The Data Protection Act (implementing the LED) sets out how the rights (together with rights of access – explained below) apply in circumstances where we are prosecuting/conducting law enforcement processing. This includes the prospect of certain rights being restricted (in whole or in part) where necessary and proportionate: to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or expectation of criminal penalties; to avoid obstructing an official or legal inquiry, investigation or procedure; or to protect public security, national security, or the rights and freedoms of persons other than the data subject.

Accessing your personal data

You have the right to confirmation as to whether or not we are processing your personal data and, if access the data together with the reasons we hold it, the period it will be retained and who the information has been shared with.

Your request must be in writing. You can submit your request by post or email to SAR@gamblingcommission.gov.uk

The request must include:

    • your name
    • your address/ email address for sending the information to you
    • a description of the information you wish to obtain.

      To ensure confidentiality, we will need evidence which confirms your identity. A copy of photo identification, and proof of your address such as a copy of a photo driving licence or passport and a recent utility bill. Please do not send original documents.

      Most requests will receive a response within one month of receipt of a valid request; those which are more complex or numerous may take up to three months.

      You may not be entitled to see all the information held about you if an exemption under the GDPR/ the Data Protection Act applies, eg if it contains data mixed with other individuals’ data, if disclosure would prejudice the exercise of our regulatory functions or is subject to legal privilege. Requests which are manifestly unfounded or excessive will be refused. 


Overseas transfers

Our systems are UK based. The prospect of international transfer of data will only generally arise in circumstances where we need to send information to our international gambling regulatory counterparts, sports governing bodies based overseas or to officials overseas in connection with regulatory or criminal investigations or processes.

Changes to this privacy statement

We keep this privacy statement under regular review and may change it from time to time. If we change this statement we will post the changes on this page, and place notices on other pages of our website as applicable.

Stakeholder events privacy notice

Purpose for processing

The purpose for collecting your personal data is so that we can communicate with you about our events. We may ask you for your consent for your name and email address to be shared amongst the other attendees of any event for the purposes of networking and building relationships.

What we need

If you wish to attend one of our events, you will be asked to provide your contact information including your name, the organisation you work for (if you are attending on their behalf) and, if offered a place, information about any dietary requirements or accessibility requirements you may need.

Legal basis for processing

The legal basis we rely on for processing your personal data is consent under article 6(1)(a) of the General Data Protection Regulation (GDPR).  

Where we have collected personal information relating to your accessibility and dietary requirements we rely on consent as the legal basis for processing this information under Article 9(2)(a) of the GDPR.

Why we need it

We will use your contact details to communicate with you about the event and also to ensure that we can accommodate your personal requirements.

What we do with it

We only use your personal data to invite you to events and keep you updated afterwards. You will receive initial invitations to events, reminder emails and, if you are allocated a place, any pre-event information. After the event, we may share a write up of the discussions and our plans for next steps.

We may ask you for your consent for your name and email address to be shared amongst the other attendees of any event for the purposes of networking and building relationships. Your personal data will not be shared with anyone else, except for the below specific events:

  • Lived Experience Events: For those who consent, we will share your details with The Health and Social Care Alliance Scotland (the ALLIANCE) for engagement in Scotland. For more information, please see their privacy policy.

We will ask for your consent to email you about future events that you may be interested in.

You have no obligation to participate in events. If you do want to participate, you can opt out at any time. If you opt out, this will mean you won’t get any future correspondence about upcoming events from us. If you wish to opt out, please contact us.

Where you have provided us with information about dietary and accessibility requirements we will share anonymised information with the venue.

How long we keep it

We will keep your personal data within our contacts list for 3 years from when we last contacted you, at which point we will either delete it or contact you again to regain your consent.

Information that we collect relating to your dietary and accessibility requirements will be deleted after the event.

What are your rights?

If you want to know more about your rights, please refer to the Your rights section within the Gambling Commission privacy statement.

Do we use data processors?

Yes - we use Mailchimp, SurveyMonkey and Eventbrite to send out emails on our behalf for events.  For more information, please see their privacy policies:

You will be informed of any other processor/s used as part of the event you take part in.


How to contact us

Please contact our Data Protection Officer at the address stated above if you have any feedback or questions about this privacy statement.

How to complain

If you have any concerns about how we collect or process your data then you can write to our Data Protection Officer or refer to our complaints page. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Complaints can be submitted to the ICO through its helpline by calling 0303 123 1113. Further information about reporting concerns to the ICO is available here.

Do you need any extra help

If you would like this privacy statement in another format (eg audio, large print, braille) please contact us communications@gamblingcommission.gov.uk 

Published on 11 May 2018