If you have any questions about how we process your personal information, you can contact our  Data Protection Officer regarding your rights.

By email: DPO-GSC@gov.im

By telephone:  01624 698322

In writing: 

Data Protection Officer

Gambling Supervision Commission

Ground Floor, St George’s Court,

Myrtle Street, Douglas,

Isle of Man, IM1 1ED

Section 5 of the Gambling Supervision Act 2010 says that the GSC must, so far as is reasonably practicable, exercise its functions in such a way that is compatible with the regulatory objectives, which are:

• ensuring that gambling is conducted in a fair and open way.

• protecting children and other vulnerable persons from being harmed or exploited by gambling; and

• preventing gambling from being a source of crime or disorder, associated with crime or disorder, or used to support crime.

Our collection of personal data for licensing purposes may also be used to:

• comply with our statutory function and legal obligations

• inform our regulatory work in accordance with these objectives – including investigations and enforcement

• assist other regulators or law enforcement agencies

• check our level of service and to help us improve things where we can, and

• conduct research/ collate statistics for publication and/or for the purposes of formulation of policy. Although in this case, data will not identify individuals.

Applications for Licences and other Regulatory Permissions

When we receive an application for a licence or other regulatory permission, we create or update information we hold about relevant persons on our systems.

Relevant persons are those responsible for the gambling or those who own stock or shares in the applicant if that is a company. We use that data to decide whether to approve the application and issue a licence (or other regulatory permission).

The provision of data for the purposes of licence applications is required by law. Failure to provide the information requested constitutes an offence under Manx Gambling Law and will also lead to the application being refused.

If we find that any individual does not meet the necessary standards required by law, they may not be employed by an applicant and the GSC has powers of Direction to require changes of personnel where required.

For this reason, it is vital that care is taken to ensure that the information supplied to us is accurate (including in the period between the submission of the application and the date of the decision). If this is not done, there is a possibility that the licence subsequently issued may be reviewed and/or withdrawn.

As part of our obligations to combat money laundering and the financing of terrorism under the Anti-Money Laundering and Countering the Financing of Terrorism Code 2019 and the Proceeds of Crime Act 2008, we conduct a thorough “Know Your Customer" or KYC process on all individuals associated with companies applying for or holding a gambling licence or permit.

We will verify your identity using reliable, independent sources, such as government-issued documents and conduct suitability or ‘fit and proper’ assessments as part of the licensing process. For this purpose, we will obtain personal data relating to you from third parties such as the Disclosure and Barring Service/Disclosure Scotland.

We will also use party providers such as Lexis Nexis, World Check and Accuris Risk Intelligence to determine:

• if you appear on any government lists of known or suspected terrorists.

• whether you are a politically exposed person (PEP).

• if there is any adverse media about you.

• If there are any government sanctions enforced against you.

We will continually monitor government sanctions lists, watchlists and PEP lists throughout your relationship with the GSC to identify any unusual or suspicious activity, which might indicate potential illicit actions.

We will maintain records of the verification process, including copies of any identification provided and ensure that the information remains relevant and accurate.

People we are investigating/ regulatory action

Isle of Man gambling legislation requires that we undertake activities for the purposes of assessing compliance with the Law or to ascertain whether any offence has been committed. We will use personal data in the course of conducting investigations (and deciding outcomes) into the activities of personal and operator licensees.

This information may also be relevant to our wider regulatory objectives and statutory functions. We may, for example, derive information from our investigations which help us improve our understanding of the gambling market and assessment of the risks it faces (and potential risks to consumers as a result), and to seek continuous improvements in the market and our regulation of it. As mentioned above, we will also publish regulatory action we take following our investigations.

Responding to Requests

We will use your information to provide customer support, respond to your inquiries and fulfil your requests. 

Provide Regulatory Communications

We will use your information to send you communications that we believe may be of interest to you, such as to contact you via mail, email, or telephone in order to give you news and updates about relevant regulatory information. 

Consultation purposes

We may consult with you on policy or legislative changes, seek your views on improving our services, identify usage trends, assess our regulatory campaigns, or invite you to our forums or events.

Detect and Prevent Fraud

We may process your personal information, to help monitor, prevent, and detect fraud and abusive use of our licence conditions, enhance security, and combat other security risks.

Complaining about a license holder 

We will process personal data provided by consumers when they make complaints about a gambling business licensed by us. Such will generally be made to the business itself first before being escalated to the GSC.

When we receive any such complaint, we will create a complaint file which will identify the complainant (and include their contact details) and others who may be named in the complaint. We will ordinarily have to share the complainant’s identity with the operator or person complained about.

It may be necessary for the person complained about to access any relevant information they hold on a complainant (e.g. relevant customer account details, history, etc) to help us resolve the complaint. The more complete a picture that we have of the issues complained about, the better prospect we will have in dealing with it effectively.

If a complainant tells us that they do not want to be identified to the operator/ person complained about, we will try to respect that. But where there is an overarching public interest to progress a complaint made, which cannot be done without disclosing the complainant’s identity, we may decide to do so.

A complaint may also lead to regulatory action as set out above; as such, the relevant data may also form part of the investigation file. We may publish research or statistics regarding the complaints we deal with in a relevant period; but we will not do this in a way which identifies individual complainants.

Publication

We may publish the names of companies or individuals whose licences have expired, been suspended, cancelled or surrendered.

If a licensee is, or has been, subject to a regulatory sanction we may issue a public statement. Additionally, we may publish a list of individuals who have been prohibited by the GSC under anti-money laundering legislation.

We generally collect the following categories of personal data to support our regulatory objectives:

Identifying information: such as name, date and place of birth, residential and contact details, photograph, nationality and other unique identifiers such as government-issued identification and national insurance number.

Contact information: such as telephone number, email address, physical addresses.

Professional information: such as education and employment history including schools and places of higher education attended, relevant qualifications, details of current and previous employment, and academic and employment references, job role etc.

Financial information: such as a person’s financial situation, solvency and any past declarations of bankruptcy and any civil convictions.

Payment Information: we may collect your payment card, transaction, or financial account information, when you purchase our products. All credit card information is held by GSC’s payment gateway provider employing industry standard protections. We may also collect other Personal Information at the request of the business with whom you are transacting.

Legal information: such as being subject to current or past civil litigation, or being subject to successful investigation by a governmental, professional or other regulatory body.

Offences: We collect personal data on individuals managing or controlling licence holders or applicants. This includes information on criminal, civil, and regulatory offences, both current and past, as well as pending charges. This data is essential for fulfilling our regulatory and legal obligations, maintaining industry integrity, ensuring compliance, and protecting the public. By processing this data, we can monitor and prevent unlawful activities, uphold fair practices, and safeguard vulnerable individuals.

Corporate information: this includes personal information in relation to individuals holding roles of influence within a corporate entity that is or seeks to be licensed by the GSC. This includes roles such as directors, shareholders, ultimate beneficial owners, senior managers in key roles and regulatory positions such as Money Laundering Reporting Officers etc.

The GSC ensures that it only processes personal data if at least one of the following applies:

• The data subject has given consent to the processing of his or her personal data for one or more specific purposes;

• The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

• The processing is necessary for compliance with a legal obligation (i.e. European or Manx law) to which the GSC is subject;

• The processing is necessary in order to protect the vital interests of the data subject or of another natural person;

• The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the GSC by European or Manx law;

• The processing is necessary for the purposes of the legitimate interests pursued by the GSC, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

As a regulatory body, most of the personal data we collect, and process pertains to our regulatory functions and responsibilities. Therefore, when processing data, it is primarily because it is necessary for performing tasks in the public interest and/or exercising our statutory functions. 

When we need your consent to process your personal information, we will ask for it in advance. This consent is voluntary and can be withdrawn at any time. However, withdrawing consent may prevent the GSC from providing services. If you disagree with any part of this Policy, you should stop using our services immediately

Sharing personal data will be primarily for the purpose of performing regulatory functions but may also take place for the purposes of the prevention and detection of crime or for the collection of taxes and other duties or international obligations. Such sharing with third parties will be to help us (or them) to exercise our (or their) functions appropriately.

This may include parties such as:

• Relevant public authorities.
• Gambling regulatory authorities.
• Sports betting integrity units.
• Other regulators.
• Technology providers.
• Law enforcement agencies (including overseas).

We may also share with and obtain personal data from third party organisations when carrying out our regulatory objectives. The main ones are listed below.

• Disclosure and Barring Service.
• Isle of Man Treasury Customs & Excise Division.
• Financial Intelligence Unit.
• Financial Services Authority.
• Other international gambling regulators.

Any personal data we share in this way is shared in accordance with relevant legislation and is limited to the type and amount of data we believe necessary in order to achieve our objectives. It may also be necessary to share information for other reasons, such as legislative obligations in relation to:

• The prevention and detection of crime;
• The collection of tax and gaming duty;
• Investigating the proceeds of crime;
• Anti-Money Laundering;
• Countering the financing of terrorism; and
• Proliferation of financing

Sometimes we may be required by another body to disclose personal data under relevant legislation or by court order. Where that is the case, we will take appropriate steps to ensure:

• that your personal data is subject to a similar level of protection in that jurisdiction that it would be in the Isle of Man.

• that the type and amount of personal data we share is relevant and proportionate to the purpose for which it is being shared.

• that the transfer of data will be in accordance with the law.

Equally, personal data we receive from other bodies will be treated in accordance with this Privacy Notice.

Sharing Data for the purpose of Audits

The GSC may forward all data, including any personal data to the approved Auditor appointed by the licensee in accordance with the relevant procedures, in order for the said Auditor to carry out the respective audit. This processing is carried out on the basis of a contractual obligation included within the applicable issued licences.

Player Data

Most personal data pertaining to players and that is processed by the GSC is supplied directly by the player to the GSC when seeking assistance with general and technical queries as well as when asking for help in resolving disputes with land based or remote gaming operators.

The GSC also collects certain personal data relating to players when carrying out inspections at land-based operators’ premises aimed at enforcing requirements relating to the protection of minors and of vulnerable persons (such as self-barred persons).

Share data for complaints

It is likely that the GSC will have to share the complainant’s identity with the licensee in order to be able to resolve the situation. If a complainant would not like to be identified to an operator, it is recommended that they inform us of that wish as soon as possible, and the GSC will try to respect that, however if it is determined that there is an overarching public interest to proceed with the investigation of a complaint and this can only be done by disclosing the complainant’s

Processing of Player Data gathered via Land-Based Inspections

 As part of its regulatory functions aimed at protecting minors and vulnerable persons, the GSC carries out inspections at the premises of land- based operators.

During such inspections, a sample of players is asked to provide their personal information so as to allow the GSC’s inspectors to confirm that the players are not in the database of self-barred persons or below the age required by law to enter into such gaming premises.

The GSC ensures that such personal data relating to players is only used for the purposes for which it is collected; that is to ensure that the land-based gaming operator is abiding by the legal requirements related to the protection of minors and vulnerable persons that are applicable to him. This data is processed based on the GSC’s legal obligation to regulate the provision of gaming services offered to and from the Isle of Man.

Enquiries

Enquiries received from third parties regarding locating on the Island are encouraged may be passed to Digital Isle of Man, an Executive Agency within Isle of Man Government's Department for Enterprise. They support the tech sector, developing and implementing a strategy to support sustainable economic growth and establishing the Isle of Man as a centre of international excellence for the digital economy.

In accordance with our statutory functions and powers, we will obtain data from third parties in the following ways (and for the following reasons):

In order to confirm information supplied to us in the licensing application process and/or for the purposes of suitability assessments.

From license holders operators, either at our request or when they are required to report information to us. This may include information about problem gamblers, for example, from complainants, members of the public, other regulatory bodies, witnesses and experts about persons who may be relevant to a regulatory investigation

Data provided by licence applicants identifying people relevant to the application who are not the applicants themselves (for example, funders).

Information may be provided to us by law enforcement agencies or other regulatory bodies in relation to a license holder or an associated individual for the purpose of investigating their fitness and propriety.  

In each case, the information is important to the exercise of our regulatory functions; and we will not generally notify the relevant individuals when such data is received from third parties.

In certain circumstances, particularly where there is a possibility of criminal activity being identified and actioned, notification could obviously hinder this process.

International data transfers will generally occur only when we need to share information with international gambling regulatory counterparts, overseas sports governing bodies, or officials abroad in connection with regulatory or criminal investigations or processes

We will take all necessary steps to ensure your personal information is treated securely and in accordance with this Policy. No transfer of your personal information will occur to an organisation or country unless appropriate safeguards are in place as required by applicable data protection laws. If you do not want your information transferred, processed, or maintained outside your country or jurisdiction, please do not use the site or services.

The Data Protection Law sets out how the rights (together with rights of access – explained below) apply in circumstances where we are conducting law enforcement processing.

This includes the prospect of certain rights being restricted (in whole or in part) where necessary and proportionate:

• to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or expectation of criminal penalties.

• to avoid obstructing an official or legal inquiry, investigation or procedure; or

• to protect public security, or the rights and freedoms of persons other than the data subject.

Special categories of personal data as defined by the GDPR include:

• personal data revealing racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade union memberships,
• genetic and biometric data processed for the purpose of uniquely identifying a natural person;
• data concerning health;
• data concerning a natural person's sex life or sexual orientation.

The GSC ensures that any processing of special categories of personal data is only carried out when one of the following applies:

• the data subject has given explicit consent to the processing of those personal data for one or more specified purposes;
• processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the GSC or of the data subject in the field of employment and social security and social protection law;
• processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
• processing relates to personal data which are manifestly made public by the data subject;
• processing is necessary for the establishment, exercise or defence of legal claims;
• processing is necessary for reasons of substantial public interest, on the basis of European or Manx law;
• processing is necessary for the assessment of the working capacity of the employee;

In most cases, the special category data processed by the GSC will be criminal offence data, the processing of which is necessary for reasons of substantial public interest, on the basis of European or Manx law. 

We do not knowingly request or process children's data. 

The security and confidentiality of your information is very important to us. We will ensure that safeguards are in place to:

• Keep sufficient information to provide services and fulfil our legal responsibilities.

• Keep your records secure and accurate and only permit authorised staff to view your information.

• Only keep information as long as it is required.

• Only the GSC’s personnel are able to view your data.

Your data will only be held on servers that are under the control of the Cabinet Office, Government Technology Services (GTS) and within the jurisdiction of the Isle of Man in line with ISO27001 standard - the ISO standard on information security and hold cyber essentials.

Email communications are stored on the Isle of Man Government email system, Microsoft Outlook and are encrypted and protected in line with government standards. If your email service does not support this encryption, you should be aware that any emails we send or receive may not be protected in transit.

We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

The GSC use Microsoft Dynamics CRM to hold personal and business information relevant to our licence holders. Only certain members of staff will have access to your personal information on CRM and there is security in place to ensure this.

The GSC also use the Isle of Man Government Secure Network – There are strict access controls in place meaning that only those within the GSC can access information stored in folders on our network; in addition, only the teams within the Divisions who are able to access personal information, are those that have a business need to do so.

The administration of CRM and the secure network is undertaken by GTS under a data processing agreement. They should not access your personal data without the GSC’s explicit permission, and only where vital for the administration of the system.

Paper records - We do not routinely store manual records, however, those that are already in storage and a new records we are required to hold any manually are either stored on site or in a third-party storage facility with whom we have a data protection agreements in place.

We will only keep your information for the minimum time necessary to perform our regulatory functions. Our general approach is to retain personal information relevant to the operation of a licence holder for a period of six years following the date the relationship with the GSC formally ended. Other personal data collected to during the course of our regulatory activities may be deleted sooner, once the need for processing that data has concluded.

This may be to:

• Comply with our statutory function and legal obligations.
• Inform our regulatory work in accordance with these objectives - including investigations and enforcement.
• Conduct research/ collate statistics for publication and/or for the purposes of formulation of policy.

Personal information relevant to the checking of the fitness and propriety of a person to be approved by the GSC will be retained for the minimum period necessary in making that determination.

The need to retain information for historical or archiving purposes by the Public Record Office under the Public Records Act 1999. Click here for more information.

You have the right to ask for a copy of any personal information that we may hold about you by making a Subject Access Request

Such requests will be dealt with as a subject access request under Data Protection legislation.  We are obliged to provide within 30 days unless an exemption applies unless your request is particularly complex, in which case we are able to extend the response period by a further two months.  Where this is the case, we will inform you of our intention to extend the deadline and our reasons for doing so.

To assist us locate the information you need, we ask that you complete the Subject Access Request Form and provide proof of identity and residency. These should be emailed to the DPO-GSC@gov.im.

There may be some circumstances, where an exemption is applicable under GDPR, when we will not be able to provide you with the information that you have requested.  We will not be able to provide any information which might identify another individual (third party information), unless that person agrees.

If after you have received the information you have requested, you believe that the information is inaccurate or out of date; or that we should no longer be holding that information or we are using your information for a purpose of which you were unaware then you should notify the Data Protection Officer at once, stating the reasons you believe any of the above to be correct.

The Isle of Man Information Commissioner provides guidance on making subject access requests. Information can be found on their website below. 

The GSC may publish consultations on various topics, seeking input from the industry, companies, parliamentarians, researchers, and the public. Participation is voluntary, and personal information is generally not required. Responses help inform policy and regulatory work.

If contact details are provided, they may be used for follow-up. Summaries of responses will not contain personal data, and names will only be published with consent. It is in the GSC’s legitimate interest to seek these views, and participants can respond anonymously or withdraw at any time

Information on how to do this can be found on the Consultation Hub website or by contacting the GSC’s Data Protection Officer at DPO-GSC@gov.im 

The Cabinet Office of the Isle of Man Government run the Consultation Hub. More information on the use of the Consultation Hub, can be found on the Cabinet Office’s privacy notice.

Articles 12 to 22 of the Data Protection (Application of GDPR) Order 2018 set out the rights you have as a data subject.

These rights are subject to the restrictions set out in Article 23.

Your right to be informed

You have the right to be provided with clear and concise information about what we do with your personal data. This Privacy Notice explains how we collect and process your personal data.

Your right of access

You have the right to access and obtain a copy of your data and certain processing information on request, subject to certain restrictions. 

Your right to rectification

You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure

You have the right to ask us to delete your data in certain circumstances. For example:

• Where the data is no longer needed for the purposes it was collected.
• You object to processing and there are no overriding legitimate grounds to continue.
• Where the data has been unlawfully processed or where the data has to be erased for compliance with a legal obligation.

Personal data will be retained under our legal obligation to carry out our statutory functions, for a period as defined within our Records Retention Schedule.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your personal information in certain circumstances. For example:

• The accuracy of the data is contested – for a period necessary to allow us to verify its accuracy;
• The processing is unlawful and you request restriction instead of erasure; or
• We no longer need the data for the purposes it was collected, but you need it in connection with a legal claim.

The right to restrict processing is subject to our legal obligation to carry out our statutory functions.

Your right to object to processing

You have the right to object to the processing of your personal information in certain circumstances. In this case, we will stop processing unless we can demonstrate compelling legitimate grounds for continuing the processing, which override your interests.

This only applies in certain circumstances and will therefore depend on the purpose and lawful basis for processing. As most of our processing is conducted in order for us to comply with a legal obligation and/or perform a public task, this right will not be available in most circumstances.

Your rights related to automated decision making including profiling

We do not currently carry out any automated decision making.

Your right to data portability

To receive personal data you have provided to us in a structured, commonly used and machine readable format where it is processed by automated means. You may also request that we transmit this data to another controller. The right to data portability is not applicable for personal data processed where the lawful basis for this processing is necessary for us to perform a task in the public interest or for our official functions.

Exercising your rights

If you would like to exercise any of these rights, please contact our Data Protection Officer.

Your rights may be limited where we are processing your personal data for certain regulatory activity or law enforcement purposes, such as the inspection and investigation of criminal offences. We will be able to advise you if this is the case when you seek to exercise rights in relation to your personal data.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

The main purpose of this website is to provide you with information.

Where you choose to contact us about a query or to complain against a licence holder, we will only use the limited personal information you provide through our contact pages to assist answer your questions.

We do not store your personal information on the website. 

If you have any concerns about how we collect or process your data, you can write to our Data Protection Officer using the address above or by email to DPO-GSC@gov.im.

You also have the right to request the Isle of Man’s Information Commissioner (ICO) to undertake an assessment as to whether the processing of your personal data has been carried out in accordance with the provisions of the Isle of Man Data Protection Legislation.

Further information regarding complaints to the ICO can be obtained by calling +44 1624 693260. Information can be found on their website below. 

This Privacy Notice may change. We will not reduce your rights under this Privacy Notice without your consent.

If any significant change is made to this Privacy Notice we will provide a prominent notice on this website so that you can review the updated Privacy Notice. 

Overview

This section provides specific information on privacy matters for individuals applying for jobs at the GSC. 

Why does the GSC collect personal data from job applicants?

We collect and processes personal data relating to job applicants in order to carry out its recruitment process. We are committed to being transparent about how we collect and use that data and to meeting its data protection obligations.

The Isle of Man has data protection laws describing what an organisation must do if it processes personal data and what rights you have in respect of your data. Please see the Information Commissioner’s website for more details: https://www.inforights.im/.

What personal data does the GSC collect about you?

We collect the following personal data about you as part of the recruitment process:

• Full name, previous name(s)
• Contact details including email address, telephone numbers, home address
• Details of your academic and professional qualifications, skills, experience and employment history, including start and end dates with previous employers
• Information about your current employment, remuneration and benefits
• Information you supply about how you meet the criteria for the role
• Information about your criminal record (including details of any spent convictions if you are applying for the roles of a member of the Commission, Chief Executive Officer, Deputy Chief Executive Officer or Director)
• Information on disciplinary action, disqualifications, suspensions, civil litigation, bankruptcy or disqualifications
• Information about your entitlement to work in the Isle of Man
• Details of your employment, academic or personal references and contact details for your referees.

The following personal data categories will only be collected and processed by us following successful application and acceptance of job offer:

• Gender, marital status, date of birth
• Previous address(es), nationality, your passport and other identity documents

We may collect this information in a variety of ways. For example, data may be collected from:

• application forms;
• CVs;
• your passport; 
• other identity documents such as your driving licence;
• correspondence with you; or
• through interviews.

We may also collect personal data about you from the following sources:  

• references supplied by former employers,
• information from providers of employment background checks,
• information from criminal record checks
• right to work checks, including work permit and immigration checks.

We will seek information from third parties if a job offer has been made to you and will seek your permission before doing so.

Why does the GSC process personal data about you?

We will only process your personal data if it has a lawful basis for doing so. The main lawful bases that apply to our processing of personal data of job applicants are:

Processing is necessary in order to take steps at your request prior to entering into an employment contract.

As part of the recruitment process, we need to process certain personal data prior to entering into a contract with you. We will not use your data for any purpose other than for recruitment purposes and you are free to withdraw from the process at any time. Should your job application be successful and you subsequently become an employee of the GSC, other lawful bases for processing your personal data will then apply (there is a separate Employee Privacy Notice)

Processing is necessary for compliance with a legal obligation to which the GSC is subject (e.g. for the purposes of recruiting staff).

In some cases, we need to process personal data to ensure that it is complying with its legal obligations. For example, it is a requirement to check a successful applicant’s eligibility to work in the Isle of Man before employment starts.

Processing is necessary for the purposes of the legitimate interests pursued by the GSC or by a third party.

We have a legitimate interest in processing certain personal data about you during the recruitment process and for keeping records of the process.

Processing data from job applicants allows us to manage the recruitment process, assess and confirm a candidate’s suitability for employment and decide on to whom to offer a job. We may also need to process data from job applicants to respond to and defend against legal claims.

Does the GSC process any sensitive personal data about you?

Some sensitive personal data (referred to as ‘special category’ data), about job applicants (such as information about health or medical conditions) may be processed by us to carry out our employment law obligations, such as those in relation to prospective employees with disabilities.

The main conditions that apply to the processing of special category data of job applicants by us are as follows:

• Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the GSC or of the employee in the field of employment and social security and social protection law.

• Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Isle of Man law.

• The job applicant has given explicit consent to the processing of their personal data for one or more specified purposes.

Should your job application be successful, we will establish if you have any health or disability issues for which we may need to make suitable adjustments to planned working arrangements. We will do this only after if job offer has been made. Such processing of personal data is necessary for us to carry out its obligations and exercise specific rights in relation to employment.

We will only process health data which is necessary to satisfy its duty of care to job applicants. Any health data will be held securely and will only be shared where necessary to protect the interests of job applicants and with the express permission of the individual concerned.

We processes personal data about job applicants relating to criminal convictions and offences in order to carry out its obligations and exercise specific rights in relation to employment.

If you apply for any of the following roles, you will be required to provide a record of any spent convictions as part of enhanced considerations around your suitability for the role, by virtue of Part 2 (4) of Schedule 1 of Rehabilitation of Offenders Act 2001 (Exceptions) Order 2018:

• A member of the Gambling Commission

• The Chief Executive Officer

• Deputy Chief Executive Officer

• Director

How does the GSC store and protect your personal data?

Personal data will be stored in different places depending on the circumstances. These may include your application record, in Human Resources (‘HR’) management systems and on other IT systems (including email). The GSC will share your data with other data controllers and data processors where this is necessary for the purposes described in this privacy notice. Please see below for further details.

We take the security of your personal data seriously and it has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed and it not accessed except by relevant employees in the performance of their duties.

How long does the GSC keep your personal data for?

If your application for employment is unsuccessful, we will hold your personal data for 12 months after the end of the relevant recruitment process to meet obligations under the Equality Act 2017. At the end of that period your data will be deleted or destroyed.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held are set out in our records retention schedule.

Does the GSC share your personal data with other parties?

Your information may be shared with relevant GSC staff for the purposes of the recruitment exercise. This includes the HR team, interviewers and any other members of staff who are decision makers in the recruitment process.

We will not share your data with third parties unless your application for employment is successful and it makes you an offer of employment. Once you give permission to do so, we will share your data with former employers to obtain references for you. 

We will not transfer your personal data to countries outside the Isle of Man without either your consent or an appropriate lawful basis for doing so. Similarly, we do not authorise third parties to transfer your data outside the Isle of Man unless either of those conditions are met.

The GSC is under an obligation to ensure that any personal data transferred outside of the Isle of Man, the European Economic Area (‘EEA’) or a jurisdiction with an adequacy decision for the European Union’s General Data Protection Regulation (‘GDPR’) (such as the United Kingdom) is subject to appropriate safeguards.

What rights do you have over your personal data?

 As a data subject, you have a number of rights over your personal data and how it is processed:

Right to be informed

This Privacy Notice explains how we collect and process your personal data as an applicant for a job within the GSC.

Right of access

You can access and obtain a copy of your data and certain processing information on request.

Right to rectification

You can request that we change incorrect or incomplete information.

Right to erasure

You can request that we delete your data, for example where the data is no longer necessary for the purposes of processing.

Right to restrict processing

You can request that we restrict processing of your data, for example where there is no longer an appropriate basis for processing.

Right to data portability

You can request personal data you have provided to us in a structured, commonly used and machine readable format where it is processed by automated means. You may also request that we transmit this data to another controller.

Right to object

You can object to the processing of your data by us. This only applies in certain circumstances and will therefore depend on the purpose and lawful basis for processing.

Rights related to automated decision making including profiling

The GSC does not currently carry out any automated decision making.

If you would like to exercise any of these rights, please contact the GSC's Data Protection Officer (see contact details section).

If you believe that the GSC has not complied with your data protection rights, you can discuss your concerns with our Data Protection Officer (see below). If you are not satisfied with a response you receive from us then you can make a complaint to the Isle of Man Information Commissioner, whose details can be found on www.inforights.im. You may have a right to other remedies.

What happens if you do not provide personal data?

You are under no statutory or contractual obligation to provide data to the GSC during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all.

Changes to this Privacy Notice

This Privacy Notice may change. If any significant change is made to this Privacy Policy we will notify you.

Isle of Man Freedom of Information Act 2015 ('FOIA')

The Freedom of Information Act 2015 (FoIA) gives Isle of Man residents a legally enforceable right to obtain access to information held by a Public Authority. This is subject to certain exemptions and practical refusal reasons.

You can find out more information on the FoIA including how to make a request to us here: Isle of Man Government - Freedom of Information and you can also use this link to view previous requests and their responses.

We are the controller for the personal data you provide when making a FoI request to the Commission.  

Legal basis for processing your information

We need your personal information (such as your name and contact details) to process and respond to you about your FoI request. In some cases, we may ask for proof of identification, and proof of residency, so that we can comply with the FOIA.

We must have a legal basis (a lawful reason) to process your personal data, which is submitted by you when you make a FoI request. The legal basis for processing your information when you make a request is that it is necessary for us to comply with the law (FOIA), or that it is necessary for us to perform a public task in the public interest. This is set out in Articles 6(1)(c) and (e) of the Schedule to the Data Protection (Application of GDPR) Order 2018 – this legislation is sometimes called 'the Applied GDPR').

Sharing information

FOI requests have to be submitted on a form prescribed by the Chief Executive Officer (Isle of Man Government) in order to be valid and accepted under the FoIA. You can either submit a request using the form online or a paper version, which is available by contacting our Data Protection Officer (see below for contact details).

When you make an FoI request using the Online Services Portal on the Isle of Man Government website, a system called iCasework is used to process your request. The iCasework system is provided by a company called Civica UK Limited. This system stores information such as: 

• Your name
• Your address
• Your telephone and email address
• Your company name, if you are requesting information on behalf of an organisation
• Your request
• If requested proof of residency from you 

Civica UK Limited act as a Processor on behalf of all the Isle of Man Public Authorities. Civica UK Limited use the information held in the iCasework system for the purpose of providing a system to manage FOI requests and to transfer this information to the relevant public authority. The information you provide to Civica UK Limited will be kept secure and confidential. 

Access to your information is limited to authorised staff members within the Commission.

The Department of Home Affairs (DHA), through the Office of Cyber Security & Information Assurance (OCSIA), has been contracted by the Commission to manage system administration on our behalf. 

If you are unhappy with the response to your Freedom of Information request

If you are dissatisfied with the response to your request for information, or the way your request was handled, you have the right to request the GSC  to undertake a review.

If you are still unhappy following the review, you can complain about your request to the Information Commissioner’s Office. In this case the Commission will need to share information, such as emails we have sent or received from you with them so that the Information Commissioner can investigate the complaint. 

Storing your information

Your personal information will be held in iCasework for 12 months after the Commission has closed your request, or if you requested a review of your request, 36 months after the closure of your request.

After this time, the request will remain on the iCasework system, but all your personal information you provided at the time of the request will be deleted. 

Your rights

The Applied GDPR (data protection legislation) provides you as a data subject with some rights to be informed of the processing of your personal data, including the right to access that data and information about the purposes for processing. 

This includes a right to correct (rectify) any information the Commission holds, or to restrict it in certain circumstances. 

As the Commission is processing your data in order to comply with its legal obligations, certain of the data protection rights do not apply, including the right to have your data deleted (erasure), transferred to another provider, the right to object to the processing, and be informed about automated decision making. 

When using the iCasework site or dealing with FOI requests, the Commission does not make automated decisions or profile your data.