Privacy Policy
Please read our privacy policy in conjunction with our terms of use policy. Helpful information around your rights and the appropriate points of contact at GambleAware are contained particularly within Sections 11 and 15.
1. Who we are
GambleAware is an independent charity (Registered Charity England & Wales 1093910, Scotland SC049433, Registered Company Number 4384279) tasked to fund research, prevention and treatment services to help to reduce gambling-related harms in Great Britain.
Please read this policy carefully, along with our Terms of Use and any other documents referred to in this policy, to understand how we collect, use and store your personal information.
If you have any questions regarding our Privacy Policy, please write to:
GambleAware
5th Floor Lincoln House
296-302 High Holborn
London WC1V 7JH
Email: info@gambleaware.org
GambleAware is a commissioning and grant-making body, not a provider of services (save for a limited system co-ordination role as set out in this notice). Guided by the National Strategy to Reduce Gambling Harms, the charity’s strategic aims are to: broaden public understanding of gambling-related harms, in particular as a public health issue; advance the cause of harm-prevention so as to help build resilience, in particular in relation to the young and those most vulnerable to gambling-related harms; and help those who do develop gambling-related harms get the support that they need quickly and effectively.
The objects of the charity are here.
2. What cookies do we use on our website?
Cookies in use on our site are aimed at supporting our Charitable Objects. To reinforce the Charitable Objects, we may use consents to enable personalised advertising (e.g. of events and information aimed at supporting the reduction of gambling harms and for the purposes at section 4).
At section 7 below we explain in more detail about third parties that we work with and how they may approach the use of data.
3. Data Protection
As you browse our website, get in touch with us, or provide donations to us we collect personal information. This deepens our understanding of what you are interested in, and helps us to improve the efficiency of our work.
GambleAware will never exchange or sell your information to another organisation for their own marketing purposes. We know that this is important to you, and want to reassure you that you’re always in control of how we use your personal information in regards to marketing and fundraising activities.
We do however need to collect and use your personal information for carefully considered and legitimate business purposes, which help ensure we can run GambleAware efficiently, raise funds effectively and meet our charitable objects. This policy explains how your personal information will be used, what data we collect, our legal basis for its use, along with outlining your rights in respect of personal information.
4. Purposes for which your personal information are processed
In simple terms, your personal information may be used to help us effectively meet our charitable objects or to help us raise funds for those charitable activities we commission.
We always strive to provide a clear, honest and transparent approach regarding how and when we may collect and use your personal information. The overview below summarises the different reasons why we do this. We may not use your personal information for all of these purposes – it will depend on the nature of our relationship with you, and how you interact with our charitable and fundraising activities, and websites:
- to provide you with services, products or information you have requested (including to link you through to the National Gambling Helpline, which is operated by GamCare);
- to provide further information about our work, services, activities or products (where necessary, and only where you have provided any necessary consent to receive such information);
- to process donations;
- to answer your questions/ requests and communicate with you in general;
- to manage relationships with supporters and beneficiaries;
- to analyse and improve our work, services, activities, products or information (including our website), or for our internal records;
- to report on the impact and effectiveness of our work;
- to run/ administer our website, keep it safe and secure and ensure that content is presented in the most effective manner for you and for your device;
- for training and/ or quality control;
- to audit and/ or administer our accounts;
- to satisfy legal obligations which are binding on us, for example in relation to regulatory, government and/ or law enforcement bodies with whom we may work (for example requirements relating to the payment of tax or anti-money laundering);
- for the prevention of fraud or misuse of our work, services, activities, products, or information;
- for the establishment, defence or enforcement of legal claims.
GambleAware itself will not receive personal data as part of its responsibilities in relation to the National Gambling Support Network (NGSN). These responsibilities may include managing organisations which, at its direction or joint direction, will collate, process, anonymise and analyse service user data obtained with consent from providers within the ‘NGSN’. Arrangements supporting these responsibilities (which in limited scenarios amount to Data Controller responsibilities) will be governed by contract and strict security arrangements will be in place to protect your personal information.
5. Lawful Processing
GambleAware needs a lawful basis to collect and use your personal information. The law sets out six lawful bases. The following are relevant to GambleAware’s use of your personal information:
- on the basis of a person’s consent
- on the basis of a contractual relationship
- on the basis of “legitimate Interests”
We may also share your personal information where we are compelled by law to do so.
- Consent If you are an individual rather than a company, GambleAware will ask for your consent to send you marketing and fundraising emails. You can withdraw consent at any time by contacting us at info@gambleaware.org.
- Contractual relationship We will process your personal information as necessary for the performance of a contract with you – for example if you are a consultant or sole trader working with GambleAware, or to facilitate a payment.
- Legitimate Interests The law allows personal information to be legally collected and used if it is necessary for a legitimate interest (which could be that of the organisation, a third party, or the individual) - as long as its use is fair and balanced and does not unduly impact the rights of the individual concerned.
There are times when it is neither practical nor appropriate to ask a person for consent. In many situations, the best approach for GambleAware and our supporters is to process personal information on the basis of our legitimate interests, rather than consent.
Please read our Legitimate Interests Statement below.
6. Personal information collected
For certain purposes described in this notice, we collect and use personal information such as name and address details along with other contact information such as email addresses and telephone numbers. We also collect information about the services you use, any purchases or financial transactions you make (including payment details), or any marketing contact preferences you give. We maintain a record of communications we send to you and we will log any communications that you send to us.
Do we process ‘sensitive’ personal information?
Under data protection law, certain categories of personal information are recognised as sensitive and requiring greater protection, including personal information about your health, race, religious beliefs, and political opinions (‘sensitive personal data’, also known as special category data). In limited cases, we may collect sensitive personal data about you, such as information about your health. We would only collect sensitive personal data if there is a clear reason for doing so, such as where we need this information to ensure that we provide you with appropriate information and advice and we will either rely on your explicit consent or rely on a further basis that is in the substantial public interest (e.g. for the provision of confidential counselling, advice or support or of another similar service provided confidentially) or, in some cases, we may process sensitive personal data in order to protect your vital interests.
For limited purposes of collation and anonymisation of NGSN data we comply with the additional condition under Article 9 (2) of the GDPR under which the Personal Data that is Special Category Personal Data is Processed as necessary for research and statistical purposes. These arrangements are aimed at using the Personal Data to support the only nationally held set of data statistics on gambling harms treatment and will support research, analysis and statistics aimed at improving future gambling harm treatments.
GambleAware will not receive sensitive personal data as part of its responsibility in managing organisations which, at its direction or joint direction, will collate, process, anonymise and analyse service user data obtained with consent from providers within the NGSN’. Arrangements supporting these responsibilities will be governed by contract and strict security arrangements will be in place to protect your personal information.In the limited scenarios where GambleAware acts as a Data Controller in relation to the processing of sensitive personal data, processors will be required to confirm compliance with data protection legislation and processed will be established in relation to Subject Access Requests.
7. Where does the personal information come from?
We collect information in the following ways:
- When you give it to us DIRECTLY
You may give us personal information about you by filling in forms on (or downloaded from) our website or by corresponding with us by post, phone, e-mail or otherwise, by making a donation to us, or by fundraising on our behalf. This includes personal information you provide when you register to use our site (if applicable), subscribe to our service, and when you report a problem with our site.
- When you give it to us INDIRECTLY
Your information may be shared with us by independent event organisers, for example Charity Challenge or fundraising sites like Just Giving or Virgin Money Giving. These independent third parties will only do so when you have indicated that you wish to support GambleAware and where necessary with your consent. You should check their privacy policies when you provide your personal information to them to understand fully how they will process (and share) it.
- When you give permission to OTHER ORGANISATIONS to share or it is available publicly
We may combine personal information you provide to us with information available from external sources in order to gain a better understanding of our supporters to improve our fundraising methods, products and services.
The personal information we get from other organisations may depend on your privacy settings or the responses you give to them, so you should regularly check your preferences and settings. This information comes from the following sources:
- Third party organisations
We may receive information about you if you use any of the other websites we operate or the other services we provide. We also work closely with third parties (including, for example, business partners, trade associations, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them. For example, we receive information from GamCare and other partners via GambleAware’s ‘Data Reporting Framework’, which is a recognised industry tool for the collection of data on individuals accessing treatment. You are always in control of the provision of personal information to the Data Reporting Framework.
Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) will have their own cookie policies. We should point out that these policies are likely to include analytical/performance cookies or targeting cookies.
For example, you can find out more about how Google stores, uses and manages this data via Google's Privacy and Terms.
- Social Media
Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp or Twitter, you might give us permission to access information from those accounts or services. We use third party agencies including Socialbakers, Goodstuff and Eight&four to conduct social media marketing on our behalf.
- Information available publicly
This may include information found in places such as Companies House, Gambling Commission Register, Charity Commission Register, and information that has been published in articles/ newspapers.
- When we collect it as you use our WEBSITES OR APPS
With regard to each of your visits to our site we may automatically collect the following information:
- Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
- Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
8. Social Media Marketing
Our marketing agencies use tools available on social media such as Facebook in order to help direct our services to the right audiences. You can learn more about interest-based advertising from Facebook by visiting this page: https://www.facebook.com/help/516147308587266. To opt-out from Facebook’s interest-based ads, follow these instructions from Facebook: https://www.facebook.com/help/568137493302217
Visit the Facebook Privacy Policy for more information about how Facebook manages Personal data or contact Facebook online, or by mail: Facebook, Inc. ATTN, Privacy Operations, 1601 Willow Road, Menlo Park, CA 94025, United States.
Facebook Insights
Our agencies may also use the Facebook Insights function in order to obtain anonymised statistical data about users who visit our Facebook page. For this purpose, Facebook places a Cookie on the device of the user visiting our Facebook page. Each Cookie contains a unique identifier code and remains active for a period of two years, except when it is deleted before the end of this period.
For more information on the privacy practices of Facebook, please visit Facebook’s Privacy Policy here: https://www.facebook.com/full_data_use_policy
9. How long we keep personal information
In general, unless we still require the personal information for the purpose for which we collected and/ or process it, we remove your personal information from our records seven years after the date it was collected. However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure (see Data Protection Rights below), we will remove it from our records at the relevant time.
If you ask not to receive any further contact from us, we will keep some basic information about you in order to avoid sending you unwanted materials in the future.
10. Data Sharing
GambleAware will not exchange or sell your personal information to another organisation for their own marketing purposes. However, there are some situations where we may have to share your personal information with other organisations, including:
- Business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you.
- The Gambling Commission, Charity Commission, Fundraising Regulator, Information Commissioner’s Office, legal advisors and relevant professional and trade associations.
- Organisations relevant to, or involved in, your annual financial contribution towards research, education and treatment of those harmed by gambling, as described in the Gambling Commission’s Social Responsibility Code Provision 3.1.1.(2) contained in the Gambling Commission’s Licence Conditions and Code of Practice (LCCP).
- Advertisers and advertising networks that require the information to select and serve relevant adverts to you and others.
- Analytics and search engine providers that assist us in the improvement and optimisation of our site.
- Other third parties that provide services on our behalf, e.g. anonymisation, processing, mailing or delivering orders, answering customers’ questions about products or services, sending mail and emails, customer analysis, assessment and profiling, when using auditors/advisors or processing credit/debit card payments (see in particular section 6).
In these situations, the relationship between GambleAware and the third party data processor will generally be governed by a contract and strict security requirements will be in place to protect your personal information. GambleAware will never sell or rent your personal information to other organisations.
We may also disclose your personal information to other organisations:
- If we sell or buy any business or assets, in which case we may disclose your personal information to the prospective seller or buyer of such business or assets.
- If GambleAware or substantially all of its assets are acquired by a third party, in which case personal information held by it about its customers will be one of the transferred assets.
- If we are under a duty to disclose or share your personal information in order to comply with any legal obligation, or in order to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of GambleAware, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
11. Data Protection Rights
Where GambleAware is using your personal information on the basis of your consent, you have the right to withdraw that consent at any time. You also have the right to ask GambleAware to stop using your personal information for direct marketing purposes. Simply contact us. You also have the following rights which apply in certain circumstances and subject to exemptions:
- Right of Access – You can ask what information we hold on you and request a copy of that information. If you want to access your information, please send us a description of the information you want to see and proof of your identity so we can ensure that we only provide personal information to the right person). Our Single Point of Contact for requests including Subject Access Requests can be reached at info@gambleaware.org.
- Right of Erasure – also known as the right to be forgotten (i.e. to have your personal information deleted or anonymised).
- Right of Rectification – If you believe our records are inaccurate you have the right to ask for those records concerning you to be updated.
- Right to Restrict Processing – In certain situations you have the right to ask for processing of your personal information to be restricted because there is some disagreement about its accuracy or legitimate usage.
- Right to Data Portability – Where we are processing your personal information under your consent the law allows you to request data portability from one service provider to another. This right is largely seen as a way for people to transfer their personal information from one service provider to a competitor.
- Right to Object - You have a right to object to processing in accordance with the UKGDPR (see the ICO Guidance on Right to Object) and an absolute right to stop the processing of your personal information for direct marketing purposes.
- Right to object to automated decisions – In a situation where a data controller is using your personal information in a computerised model or algorithm to make decisions “that have a legal effect on you”, you have the right to object. This right is more applicable to mortgage or finance situations. GambleAware does not undertake complex computerised decision making that produce legal effects.
12. Collection of Data through ‘Cookies’
Like most websites, we use ‘cookies’ on the GambleAware website. For more information regarding out use of cookies including a description of the cookies we use please see our Cookie Policy.
13. Where we store your personal information
The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by staff operating outside the UK and EEA who work for us or for one of our suppliers. Such staff maybe engaged in, among other things, the provision of support services.
Some countries outside the UK and EEA have a lower standard of protection for personal information, including lower security requirements and fewer rights for individuals. In these cases we will take all steps reasonably necessary to ensure that adequate safeguards have been put in place to protect your personal information, such as European Commission-approved contracts, and that it is always treated securely in accordance with this Privacy Policy.
Unfortunately, no transmission of information via the internet is completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your data in transit online. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
14. Notification of changes to this Privacy Policy
This Privacy Policy may change from time-to-time. For example, we will continue to update it to reflect new legal requirements. Please visit this website page to keep up-to-date with the changes to our Privacy Policy. If we update this Privacy Policy in a way that significantly changes how we use your personal information, we will bring these changes to your attention where possible.
15. What to do if you are not happy?
In the first instance, please talk to us directly so we can help resolve any problem or query. You can contact us using this email address: info@gambleaware.org.
You can also register with the Fundraising Preference Service (FPS). This service is run by the Fundraising Regulator and allows you to stop receiving fundraising email, telephone, addressed post, and/or text messages from a selected charity or charities by using the online service at www.fundraisingpreference.org.uk or by calling 0300 303 3517. Once you have made a request through the FPS, we will ensure that your new preferences take effect within 28 days.
You also have the right to complain to the Information Commissioners Office (ICO) at any time if you have any concerns about Data Protection using their help line 0303 123 1113 or at www.ico.org.uk
16. Legitimate Interests Statement
Data privacy law requires us to have specific lawful reasons in order that we can use (or 'process') your personal information. One of the reasons is called 'legitimate interests'. Broadly speaking Legitimate Interests means that we can process your personal information if we can identify a legitimate interest (which can be ours or another’s), that our use is reasonably necessary to further that interest and we are not harming any of your rights and interests.
If you would like to know more about legitimate interests under data privacy law see the Information Commissioners Office (ICO) website.
This statement explains GambleAware’s legitimate interests.
What are GambleAware's Legitimate Interests?
Generally, GambleAware’s legitimate interests are the running of GambleAware as a charity and a business and pursuing our charitable objects.
This includes (non-exhaustively):
Governance
- Delivery of our charitable purpose as set out in our governing document, and our charitable objects
- Reporting criminal acts and compliance with law enforcement agencies
- Internal and external audit for financial or regulatory compliance purposes
- Statutory reporting
Publicity & Income Generation
- Conventional direct marketing and other forms of marketing, publicity or advertisement (where we are not required to rely on consent – see the note on corporate subscribers below)
- Unsolicited commercial or non-commercial messages, including campaigns, income generation or charitable fundraising
- Personalisation content used to tailor and enhance the customer experience in our digital and postal communications
- Exercise of the right to freedom of expression or information, including in the media and the arts
- Analysis, targeting, and segmentation of our database to develop corporate strategy and improve communication efficiency
- Processing for research purposes (including marketing research)
Operational Management
- Employee and volunteer recording and monitoring for recruitment, safety, performance management or workforce planning purposes
- Provision and administration of staff benefits such as pensions
- Physical security, IT and network security
- Maintenance of suppression files
- Processing for historical, scientific or statistical purposes
Financial Management & Control
- Processing of financial transactions and maintaining financial controls
- Prevention of fraud, misuse of services, or money laundering
- Enforcement of legal claims including debt collection via out-of-court procedures
Administrative Communications
- Responding to any solicited enquiry from any of our stakeholders
- Thank you communications and receipts
- Administration of existing financial transactions
- Administration of Gift Aid
- Maintaining “Do not contact lists” (suppression lists)
Research
- Receiving data for research commissioning purposes and sharing it with researchers we commission. GA does NOT control or process research data, i.e. any data used by or generated within research and evaluation projects. This is entirely the responsibility of the teams funded by GA – it is not at any time specified by or provided to GA or stored or analysed by GA.
Education
- No Education Team data is personal, and GA does not qualify as either a data processor or controller for this workstream.
Treatment
- Patient records for the purposes of investigating serious incidents
- Pseudonymised and anonymised patient data for the purposes of managing treatment grant-funding, and quality assurance
National Gambling Support Network (NGSN) Partial System Co-ordination role
- Management of contracts for the collation, anonymisation and analysis of NGSN data, with no personal data provided directly to GambleAware (see Section 6 for details).
When we process your personal information for our legitimate interests, we will consider and balance any potential impact on you and your rights under data protection and any other relevant law. Our legitimate business interests do not automatically override your interests – we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
Where we are processing your personal information based on legitimate interests, you have a right to object to this use which can be exercised by contacting us. Please note that in some cases we will continue to process your personal information where the law allows us to – such as if there are compelling legitimate grounds for the processing which override your interests or if the processing is for the establishment, exercise or defence of legal claims.
Note on corporate fundraising and ‘corporate subscribers’:
Our charity processes personal information to deliver marketing and fundraising content to company representatives working at and/or for corporate bodies and entities who derive an income from the gambling industry in Great Britain, with the aim of obtaining the companies’ support, as well as when sending follow up communications (including personal stories and accounts, thank you messages, progress reports, invitation to stewardship events, etc). Moreover, we process personal data from individuals working at and/or for a wide range of relevant stakeholders such as legislators (e.g. Gambling Commission, DCMS, Charity Commission), professional trade associations and professional bodies (e.g. Betting & Gaming Council, Lotteries Council, IGRG) and other relevant bodies and organisations (e.g. ABSG).
GambleAware relies on legitimate interest as its legal basis to process personal data and send direct marketing communications promoting our charity and charitable objectives to companies who fall under the ‘corporate subscriber’ category of recipients (as opposed to the ‘individual subscriber’ category of recipients). The law requires us to have consent to send email marketing to ‘individual subscribers’, but not for marketing to corporate addresses. We do so on the basis that:
- The organisation the individual works for is a corporate entity.
- The basis of the communication is relevant to the individual’s work within the organisation, as opposed to contacting them in a personal capacity.
- Our marketing is relevant to the work of the organisation and the individual would reasonably expect this communication given the work that the organisation does.
- We give the individual our identity and contact details in order for them to be able to request to stop using their personal information for marketing where they wish to; and in the case that we receive such a request, we comply with the request.
- We provide a privacy notice in our communications with them to cover how we will process the individual’s personal information and their rights in respect of it.
- We have considered the individual’s reasonable expectations and interest against our own by doing a legitimate interest assessment (LIA). Further information on legitimate interest assessments can be found in the ICO Guide to GDPR.
Please find further guidance on GDPR and Corporate Fundraising produced by the Institute of Fundraising and the Fundraising Regulator here.
GambleAware Events
GambleAware runs various events from time to time to update, educate inform its stakeholders and to raise awareness for its work, encouraging debate and a range of thoughts and opinions (“Events”). This privacy notice provides you with information about how GambleAware uses your personal data when you register for and attend an Event run by GambleAware.
What personal data will be processed?
If you register with an Event App, GambleAware will receive the following information:
- your first and last name, email, avatar image, and any company information you’ve chosen to include in your Event App profile.
- the sessions you’ve added to your personalised schedule.
- the points of interest (speakers, vendors, etc.) you’ve added to your to-do list.
- your general usage metrics (time in the guide, how many times you opened the guide, etc.)
If you choose not to share your information but sign-in to an Event App account when accessing the guide, GambleAware will see your first and last name, email, avatar image, and any company information you’ve chosen to include in your Event App profile. Usage details will not be shared with GambleAware.
If you register for an Event with GambleAware directly, the information you provide us will include:
- your title, name, and full postal, email address and or telephone number;
- your job title and role;
- any dietary requirements; and
- access needs.
GambleAware may photograph and film the Event which will be used to market our services and to promote future events. GambleAware will therefore process your image. You will be notified if we intend to photograph/film an Event, for example, in the invitation and on signs at the entrance to the Event. If you do not wish to be photographed or filmed at an Event, please contact us. Where possible, we will provide photo- and film-free zones for those who do not want their picture taken can sit.
What is the purpose of processing?
GambleAware will process your personal data for the following purposes:
- To reserve a place for you at the event(s) or series of events you requested to attend;
- To provide you with information about the event(s) for which you have registered, such as event updates, and possible changes, cancellation or similar information;
- For general administration and organisation of our events, for example to contact you with information about an event or conference that you’re exhibiting at, or attending as we need to use your details for planning and logistics, to invoice you, to provide you customer service in relation to the event, and general administration of your attendance at the event.
- To fulfil and monitor our legal responsibilities, for example, under public safety legislation;
- In accordance with your preferences, to communicate with you about other events, news, and services we provide (for example online webinars);
- To ask you for your feedback or review after an Event you have attended;
- To pass on your contact details to our logistics partners to enhance your experience at an Event you have signed up to exhibit or sponsor at;
- To assess the activity of our attendees at our Events.
- To create a delegate list (which will include your name and company (not email or telephone number), which will be shared with an Exhibitor or Sponsor at the Event.
- To film and photograph the Event which will be used to market our services and to promote future events on our website, social media channels and in marketing materials. You will be notified if we intend to photograph/film an Event, for example, in the invitation and on signs at the entrance to the Event.
- To improve our services, customer relationships and experiences; and
- To plan better future events and attendee experience.
What is the legal basis of the processing?
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- To perform the contract we are about to enter into or have entered into with you.
- For our legitimate interests (for example, in order to manage and develop our business, study how customers use our products/services, to develop them, grow our charitable organisation and purposes, and inform our strategy).
- Where we need to comply with a legal obligation.
Page last updated: August 2024