Data Subjects’ rights
Dragonara Casino which form part of Pinnacle Gaming Group (the Group) may collect and process your personal data when you have specifically given your consent. We may ask you to inform us of additional aspects regarding your profile when you use our gaming services, data that we may connect with your profile or analyse in order to personalise the way we interact with you. The data controller is Pinnacle Gaming Group whose office is situated at Level 11, Portomaso Tower, St Julian’s, STJ 4011, Malta. If the basis for processing your personal data is your consent, you may revoke it at any time according to the GDPR by writing to the Data Protection Officer at Pinnacle Gaming Group, Level 11, Portomaso Tower, St Julian’s, STJ 4011, Malta.
Right to be informed
The information that the Group supply about the processing of personal data will be:
· concise, transparent, intelligible and easily accessible;
· written in clear and plain language;
· free of charge.
The following is the information the Group is to supply to individuals:
· Identity and contact details of the controller and the data protection officer;
· Purpose of the processing and the lawful basis for the processing;
· The legitimate interests of the controller or third party, where applicable;
· Categories of personal data;
· Any recipient or categories of recipients of the personal data;
· Details of transfers to third country and safeguards;
· Retention period or criteria used to determine the retention period;
· The existence of each of data subject’s rights;
· The right to withdraw consent at any time, where relevant;
· The right to lodge a complaint with a supervisory authority (i.e. Information & Data Protection Commissioner);
· The source the personal data originates from and whether it came from publicly accessible sources;
· Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data;
· The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.
Note: Data not obtained directly from data-subject will be provided within a reasonable period of having obtained the data (within one month).
Right of Access
Under the GDPR, individuals will have the right to obtain:
· confirmation that their data is being processed;
· access to their personal data when justified; and
· other supplementary information.
The following is the information that an individual is entitled to under the GDPR:
· The purpose of the right of access under the GDPR is to clarify that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing.
· When dealing with a subject access request, the Group will provide a copy of the information free of charge. However, the Group can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive or for requests that requires further copies of the same information.
· Information will be provided without delay and at the latest within one month of receipt. The Group will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, the Group will inform the individual within one month of the receipt of the request and explain why the extension is necessary.
· Where requests are manifestly unfounded or excessive, in particular because they are repetitive, the Group can charge a reasonable fee taking into account the administrative costs of providing the information or refuse to respond.
· Where the Group refuse to respond to a request, we will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
· We will verify the identity of the person making the request, using ‘reasonable means’. If the request is made electronically, the Group will provide the information in a commonly used electronic format.
· The right to obtain a copy of information or to access personal data through a remotely accessed secure system should not adversely affect the rights and freedoms of others.
· Where the Group process a large quantity of information about an individual, the GDPR permits the Group to ask the individual to specify the information the request relates to. The GDPR does not include an exemption for requests that relate to large amounts of data, but the Group may be able to consider whether the request is manifestly unfounded or excessive.
Right to rectification
· Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If the Group has disclosed the personal data in question to others, the Group will contact each recipient and inform them of the rectification - unless this proves impossible or involves disproportionate effort. If asked to, the Group will also inform the individuals about these recipients.
· The Group will comply with a request for rectification and respond within one month. This can be extended by two months where the request for rectification is complex. Where the Group is not taking action in response to a request for rectification, the Group will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy.
Right to erasure
This is also known as ‘the right to be forgotten’.
The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing only in specific circumstances:
· Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
· When the individual withdraws consent.
· When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
· The personal data was unlawfully processed (ie otherwise in breach of the GDPR).
· The personal data has to be erased in order to comply with a legal obligation.
There are some specific circumstances where the right to erasure does not apply and the Group can refuse to deal with a request.
The Group can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
· to exercise the right of freedom of expression and information;
· to comply with a legal obligation for the performance of a public interest task or exercise of official authority;
· for public health purposes in the public interest;
· archiving purposes in the public interest, scientific research historical research or statistical purposes; or
· the investigation, exercise or defence of legal claims.
Right to restrict processing
Individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, the Group is permitted to store the personal data, but not further process it. The Group will retain just enough information about the individual to ensure that the restriction is respected in future.
The Group is required to restrict the processing of personal data in the following circumstances:
· Where an individual contests the accuracy of the personal data, it should restrict the processing until the accuracy of the personal data is verified.
· Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and the Group is considering whether the organisation’s legitimate grounds override those of the individual.
· When processing is unlawful and the individual opposes erasure and requests restriction instead.
· If the Group no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.
Note: The Group will inform individuals when it decides to lift a restriction on processing.
Right to data portability
The right to data portability only applies:
· to personal data an individual has provided to the controller;
· where the processing is based on the individual’s consent or for the performance of a contract; and
· when processing is carried out by automated means.
The Group will provide the personal data in a structured, commonly used and machine readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.
The information will be provided free of charge.
If the individual requests it, the Group may be required to transmit the data directly to another organisation if this is technically feasible. However, the Group is not required to adopt or maintain processing systems that are technically compatible with other organisations.
If the personal data concerns more than one individual, the Group will consider whether providing the information would prejudice the rights of any other individual.
The Group will respond without undue delay, and within one month. This can be extended by two months where the request is complex or if it receives a number of requests. The Group will inform the individual within one month of the receipt of the request and explain why the extension is necessary.
Where the Group is not taking action in response to a request, it will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
Right to object
Individuals have the right to object to:
· processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
· direct marketing (including profiling); and
· processing for purposes of scientific/historical research and statistics.
The Group will stop processing the personal data unless:
· the Group can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
· the processing is for the establishment, exercise or defence of legal claims.
The Group will inform individuals of their right to object “at the point of first communication” and/or in the privacy notice. This will be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
The Group will stop processing personal data for direct marketing purposes as soon as it receives an objection. There are no exemptions or grounds to refuse. The Group will deal with an objection to processing for direct marketing at any time and free of charge.
Individuals will have “grounds relating to his or her particular situation” in order to exercise their right to object to processing for research purposes. If the Group is conducting research where the processing of personal data is necessary for the performance of a public interest task, the Group is not required to comply with an objection to the processing.
If the processing activities are carried out online, the Group will offer a way for individuals to object online.
Rights related to automated decision making including profiling
The GDPR has provisions on:
· automated individual decision-making (making a decision solely by automated means without any human involvement); and
· profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
The GDPR applies to all automated individual decision-making and profiling. It has additional rules to protect individuals if the Group is carrying out solely automated decision-making that has legal or similarly significant effects on them.
The regulation state that “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”
The Group will only carry out this type of decision-making where the decision is:
· necessary for the entry into or performance of a contract; or
· authorised by Union or Member State law applicable to the controller; or
· based on the individual’s explicit consent.
The Group will identify whether any of the processing falls under the data protection regulation and, if so, make sure that:
· it gives individuals information about the processing;
· introduce simple ways for them to request human intervention or challenge a decision;
· carry out regular checks to make sure that your systems are working as intended.
For more information regarding your data, please contact:
Data Protection Officer: Neville Aquilina
Tel: (356) 2092 1000