1. Who we are?
GambleAware is an independent charity (Registered Charity England & Wales 1093910, Scotland SC049433, Registered Company Number 4384279) tasked to fund research, prevention and treatment services to help to reduce gambling-related harms in Great Britain.
2a Charing Cross Rd
London WC2H 0HF
2. What do we do?
GambleAware is a commissioning and grant-making body, not a provider of services. Guided by the National Strategy to Reduce Gambling Harms, the charity’s strategic aims are to: broaden public understanding of gambling-related harms, in particular as a public health issue; advance the cause of harm-prevention so as to help build resilience, in particular in relation to the young and those most vulnerable to gambling-related harms; and help those who do develop gambling-related harms get the support that they need quickly and effectively.
The objects of the charity are here.
3. Data Protection
As you browse our website, get in touch with us, or provide donations to us we collect personal information. This deepens our understanding of what you are interested in, and helps us to improve the efficiency of our work.
GambleAware will never exchange or sell your information to another organisation for their own marketing purposes. We know that this is important to you, and want to reassure you that you’re always in control of how we use your personal information in regards to marketing and fundraising activities.
We do however need to collect and use your personal information for carefully considered and legitimate business purposes, which help ensure we can run GambleAware efficiently, raise funds effectively and meet our charitable objects. This policy explains how your personal information will be used, what data we collect, our legal basis for its use, along with outlining your rights in respect of personal information.
4. Purposes for which your personal information are processed
In simple terms, your personal information may be used to help us effectively meet our charitable objects or to help us raise funds for those charitable activities we commission.
We always strive to provide a clear, honest and transparent approach regarding how and when we may collect and use your personal information. The overview below summarises the different reasons why we do this. We may not use your personal information for all of these purposes – it will depend on the nature of our relationship with you, and how you interact with our charitable and fundraising activities, and websites:
- to provide you with services, products or information you have requested (including to link you through to the National Gambling Helpline, which is operated by GamCare);
- to provide further information about our work, services, activities or products (where necessary, and only where you have provided any necessary consent to receive such information);
- to process donations;
- to answer your questions/ requests and communicate with you in general;
- to manage relationships with supporters and beneficiaries;
- to analyse and improve our work, services, activities, products or information (including our website), or for our internal records;
- to report on the impact and effectiveness of our work;
- to run/ administer our website, keep it safe and secure and ensure that content is presented in the most effective manner for you and for your device;
- for training and/ or quality control;
- to audit and/ or administer our accounts;
- to satisfy legal obligations which are binding on us, for example in relation to regulatory, government and/ or law enforcement bodies with whom we may work (for example requirements relating to the payment of tax or anti-money laundering);
- For the prevention of fraud or misuse of our work, services, activities, products, or information;
- For the establishment, defence or enforcement of legal claims.
5. Lawful Processing
GambleAware needs a lawful basis to collect and use your personal information. The law sets out six lawful bases. The following are relevant to GambleAware’s use of your personal information:
- on the basis of a person’s consent
- on the basis of a contractual relationship
- on the basis of “legitimate Interests”
We may also share your personal information where we are compelled by law to do so.
- Consent If you are an individual rather than a company, GambleAware will ask for your consent to send you marketing and fundraising emails. You can withdraw consent at any time by contacting us at email@example.com.
- Contractual relationship We will process your personal information as necessary for the performance of a contract with you – for example if you are a consultant or sole trader working with GambleAware, or to facilitate a payment.
- Legitimate Interests The law allows personal information to be legally collected and used if it is necessary for a legitimate interest (which could be that of the organisation, a third party, or the individual) - as long as its use is fair and balanced and does not unduly impact the rights of the individual concerned.
There are times when it is neither practical nor appropriate to ask a person for consent. In many situations, the best approach for GambleAware and our supporters is to process personal information on the basis of our legitimate interests, rather than consent.
Please read our Legitimate Interests Statement below.
6. Personal information collected
We collect and use personal information such as name and address details along with other contact information such as email addresses and telephone numbers. We also collect information about the services you use, any purchases or financial transactions you make (including payment details), or any marketing contact preferences you give. We maintain a record of communications we send to you and we will log any communications that you send to us.
Do we process ‘sensitive’ personal information?
Under data protection law, certain categories of personal information are recognised as sensitive and requiring greater protection, including personal information about your health, race, religious beliefs, and political opinions (‘sensitive personal data’, also known as special category data). In limited cases, we may collect sensitive personal data about you, such as information about your health. We would only collect sensitive personal data if there is a clear reason for doing so, such as where we need this information to ensure that we provide you with appropriate information and advice and we will either rely on your explicit consent or rely on a further basis that is in the substantial public interest (e.g. for the provision of confidential counselling, advice or support or of another similar service provided confidentially) or, in some cases, we may process sensitive personal data in order to protect your vital interests.
7. Where does the personal information come from?
We collect information in the following ways:
- When you give it to us DIRECTLY
You may give us personal information about you by filling in forms on (or downloaded from) our website or by corresponding with us by post, phone, e-mail or otherwise, by making a donation to us, or by fundraising on our behalf. This includes personal information you provide when you register to use our site (if applicable), subscribe to our service, and when you report a problem with our site.
- When you give it to us INDIRECTLY
Your information may be shared with us by independent event organisers, for example Charity Challenge or fundraising sites like Just Giving or Virgin Money Giving. These independent third parties will only do so when you have indicated that you wish to support GambleAware and where necessary with your consent. You should check their privacy policies when you provide your personal information to them to understand fully how they will process (and share) it.
- When you give permission to OTHER ORGANISATIONS to share or it is available publicly
We may combine personal information you provide to us with information available from external sources in order to gain a better understanding of our supporters to improve our fundraising methods, products and services.
The personal information we get from other organisations may depend on your privacy settings or the responses you give to them, so you should regularly check your preferences and settings. This information comes from the following sources:
- Third party organisations
We may receive information about you if you use any of the other websites we operate or the other services we provide. We also work closely with third parties (including, for example, business partners, trade associations, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them. For example, we receive information from GamCare and other partners via GambleAware’s ‘Data Reporting Framework’, which is a recognised industry tool for the collection of data on individuals accessing treatment. You are always in control of the provision of personal information to the Data Reporting Framework.
- Social Media
Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp or Twitter, you might give us permission to access information from those accounts or services. We use third party agencies including Socialbakers, Goodstuff and Eight&four to conduct social media marketing on our behalf.
- Information available publicly
This may include information found in places such as Companies House, Gambling Commission Register, Charity Commission Register, and information that has been published in articles/ newspapers.
- When we collect it as you use our WEBSITES OR APPS
With regard to each of your visits to our site we may automatically collect the following information:
- Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
- Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number
8. Social Media Marketing
Our marketing agencies use tools available on social media such as Facebook in order to help direct our services to the right audiences. You can learn more about interest-based advertising from Facebook by visiting this page: https://www.facebook.com/help/516147308587266. To opt-out from Facebook’s interest-based ads, follow these instructions from Facebook: https://www.facebook.com/help/568137493302217
Our agencies may also use the Facebook Insights function in order to obtain anonymised statistical data about users who visit our Facebook page. For this purpose, Facebook places a Cookie on the device of the user visiting our Facebook page. Each Cookie contains a unique identifier code and remains active for a period of two years, except when it is deleted before the end of this period.
9. How long we keep personal information
In general, unless we still require the personal information for the purpose for which we collected and/ or process it, we remove your personal information from our records seven years after the date it was collected. However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure (see Data Protection Rights below), we will remove it from our records at the relevant time.
If you ask not to receive any further contact from us, we will keep some basic information about you in order to avoid sending you unwanted materials in the future.
10. Data Sharing
GambleAware will not exchange or sell your personal information to another organisation for their own marketing purposes. However, there are some situations where we may have to share your personal information with other organisations, including:
- Business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you.
- The Gambling Commission, Charity Commission, Fundraising Regulator, Information Commissioner’s Office, legal advisors and relevant professional and trade associations.
- Organisations relevant to, or involved in, your annual financial contribution towards research, education and treatment of those harmed by gambling, as described in the Gambling Commission’s Social Responsibility Code Provision 3.1.1.(2) contained in the Gambling Commission’s Licence Conditions and Code of Practice (LCCP).
- Advertisers and advertising networks that require the information to select and serve relevant adverts to you and others.
- Analytics and search engine providers that assist us in the improvement and optimisation of our site.
- Other third parties that provide services on our behalf, e.g. processing, mailing or delivering orders, answering customers’ questions about products or services, sending mail and emails, customer analysis, assessment and profiling, when using auditors/advisors or processing credit/debit card payments.
In these situations, the relationship between GambleAware and the third party data processor will generally be governed by a contract and strict security requirements will be in place to protect your personal information. GambleAware will never sell or rent your personal information to other organisations.
We may also disclose your personal information to other organisations:
- If we sell or buy any business or assets, in which case we may disclose your personal information to the prospective seller or buyer of such business or assets.
- If GambleAware or substantially all of its assets are acquired by a third party, in which case personal information held by it about its customers will be one of the transferred assets.
11. Data Protection Rights
Where GambleAware is using your personal information on the basis of your consent, you have the right to withdraw that consent at any time. You also have the right to ask GambleAware to stop using your personal information for direct marketing purposes. Simply contact us. You also have the following rights which apply in certain circumstances and subject to exemptions:
- Right of Access – You can ask what information we hold on you and request a copy of that information. If you want to access your information, please send us a description of the information you want to see and proof of your identity so we can ensure that we only provide personal information to the right person).
- Right of Erasure – also known as the right to be forgotten (i.e. to have your personal information deleted or anonymised).
- Right of Rectification – If you believe our records are inaccurate you have the right to ask for those records concerning you to be updated.
- Right to Restrict Processing – In certain situations you have the right to ask for processing of your personal information to be restricted because there is some disagreement about its accuracy or legitimate usage.
- Right to Data Portability – Where we are processing your personal information under your consent the law allows you to request data portability from one service provider to another. This right is largely seen as a way for people to transfer their personal information from one service provider to a competitor.
- Right to Object - You have an absolute right to stop the processing of your personal information for direct marketing purposes.
- Right to object to automated decisions – In a situation where a data controller is using your personal information in a computerised model or algorithm to make decisions “that have a legal effect on you”, you have the right to object. This right is more applicable to mortgage or finance situations. GambleAware does not undertake complex computerised decision making that produce legal effects.
12. Collection of Data through ‘Cookies’
13. Where we store your personal information
The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by staff operating outside the UK and EEA who work for us or for one of our suppliers. Such staff maybe engaged in, among other things, the provision of support services.
Unfortunately, no transmission of information via the internet is completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your data in transit online. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
15. What to do if you are not happy?
In the first instance, please talk to us directly so we can help resolve any problem or query. You can contact us using this email address: firstname.lastname@example.org.
You can also register with the Fundraising Preference Service (FPS). This service is run by the Fundraising Regulator and allows you to stop receiving fundraising email, telephone, addressed post, and/or text messages from a selected charity or charities by using the online service at www.fundraisingpreference.org.uk or by calling 0300 303 3517. Once you have made a request through the FPS, we will ensure that your new preferences take effect within 28 days.
You also have the right to complain to the Information Commissioners Office (ICO) at any time if you have any concerns about Data Protection using their help line 0303 123 1113 or at www.ico.org.uk
16. Legitimate Interests Statement
Data privacy law requires us to have specific lawful reasons in order that we can use (or 'process') your personal information. One of the reasons is called 'legitimate interests'. Broadly speaking Legitimate Interests means that we can process your personal information if we can identify a legitimate interest (which can be ours or another’s), that our use is reasonably necessary to further that interest and we are not harming any of your rights and interests.
If you would like to know more about legitimate interests under data privacy law see the Information Commissioners Office (ICO) website.
This statement explains GambleAware’s legitimate interests.
What are GambleAware's Legitimate Interests?
Generally, GambleAware’s legitimate interests are the running of GambleAware as a charity and a business and pursuing our charitable objects.
This includes (non-exhaustively):
- Delivery of our charitable purpose as set out in our governing document, and our charitable objects
- Reporting criminal acts and compliance with law enforcement agencies
- Internal and external audit for financial or regulatory compliance purposes
- Statutory reporting
Publicity & Income Generation
- Conventional direct marketing and other forms of marketing, publicity or advertisement (where we are not required to rely on consent – see the note on corporate subscribers below)
- Unsolicited commercial or non-commercial messages, including campaigns, income generation or charitable fundraising
- Personalisation content used to tailor and enhance the customer experience in our digital and postal communications
- Exercise of the right to freedom of expression or information, including in the media and the arts
- Analysis, targeting, and segmentation of our database to develop corporate strategy and improve communication efficiency
- Processing for research purposes (including marketing research)
- Employee and volunteer recording and monitoring for recruitment, safety, performance management or workforce planning purposes
- Provision and administration of staff benefits such as pensions
- Physical security, IT and network security
- Maintenance of suppression files
- Processing for historical, scientific or statistical purposes
Financial Management & Control
- Processing of financial transactions and maintaining financial controls
- Prevention of fraud, misuse of services, or money laundering
- Enforcement of legal claims including debt collection via out-of-court procedures
- Responding to any solicited enquiry from any of our stakeholders
- Thank you communications and receipts
- Administration of existing financial transactions
- Administration of Gift Aid
- Maintaining “Do not contact lists” (suppression lists)
- Receiving data for research commissioning purposes and sharing it with researchers we commission. GA does NOT control or process research data, i.e. any data used by or generated within research and evaluation projects. This is entirely the responsibility of the teams funded by GA – it is not at any time specified by or provided to GA or stored or analysed by GA.
- No Education Team data is personal, and GA does not qualify as either a data processor or controller for this workstream.
- Patient records for the purposes of investigating serious incidents
- Pseudonymised and anonymised patient data for the purposes of managing treatment grant-funding, and quality assurance
When we process your personal information for our legitimate interests, we will consider and balance any potential impact on you and your rights under data protection and any other relevant law. Our legitimate business interests do not automatically override your interests – we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
Where we are processing your personal information based on legitimate interests, you have a right to object to this use which can be exercised by contacting us. Please note that in some cases we will continue to process your personal information where the law allows us to – such as if there are compelling legitimate grounds for the processing which override your interests or if the processing is for the establishment, exercise or defence of legal claims.
Note on corporate fundraising and ‘corporate subscribers’:
Our charity processes personal information to deliver marketing and fundraising content to company representatives working at and/or for corporate bodies and entities who derive an income from the gambling industry in Great Britain, with the aim of obtaining the companies’ support, as well as when sending follow up communications (incl. thank you messages, progress reports, invitation to stewardship events, etc). Moreover, we process personal data from individuals working at and/or for a wide range of relevant stakeholders such as legislators (e.g. Gambling Commission, DCMS, Charity Commission), professional trade associations and professional bodies (e.g. Betting & Gaming Council, Lotteries Council, IGRG) and other relevant bodies and organisations (e.g. ABSG).
GambleAware relies on legitimate interest as its legal basis to process personal data and send direct marketing communications promoting our charity and charitable objectives to companies who fall under the ‘corporate subscriber’ category of recipients (as opposed to the ‘individual subscriber’ category of recipients). The law requires us to have consent to send email marketing to ‘individual subscribers’, but not for marketing to corporate addresses. We do so on the basis that:
- The organisation the individual works for is a corporate entity.
- The basis of the communication is relevant to the individual’s work within the organisation, as opposed to contacting them in a personal capacity.
- Our marketing is relevant to the work of the organisation and the individual would reasonably expect this communication given the work that the organisation does.
- We give the individual our identity and contact details in order for them to be able to request to stop using their personal information for marketing where they wish to; and in the case that we receive such a request, we comply with the request.
- We provide a privacy notice in our communications with them to cover how we will process the individual’s personal information and their rights in respect of it.
- We have considered the individual’s reasonable expectations and interest against our own by doing a legitimate interest assessment (LIA). Further information on legitimate interest assessments can be found in the ICO Guide to GDPR (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr).
Please find further guidance on GDPR and Corporate Fundraising produced by the Institute of Fundraising and the Fundraising Regulator here.
Page last updated: January 2021