About this Privacy Notice
What do we mean by personal data?
Personal data is any information that could be used (directly or indirectly) to identify you. That could be anything from your name and address, your bank details, your email address, an image or recording of you, your IP address or any other data that could be used to identify you. Occasionally we collect and process sensitive personal data called special category personal data.
What do we mean by special category data?
Special category data is personal data of a sensitive nature. We only collect special category data in specific circumstances. For example where you have provided us with data about your ethnicity for equal opportunities monitoring of recruitment or data about your health to ensure that we accommodate your needs when you are visiting us.
What do we mean by processing your personal data?
Processing Data simply means doing something with your personal data. That could be collecting your data as part of a job application or sharing it or monitoring calls for compliance purposes. If a company or organisation does anything with your personal data, they are Processing it.
The personal data we collect and what we do with it
When you use our contact us page
When you contact us online through the Contact Us form on this website we collect the following personal data:
- Your name
- Any contact information you provide like your email address and phone number
- The category of your request
To help us with your query we ask you for your name, email address and telephone number. We ask you to indicate a category for your request so we can direct it to the right member of our team to provide you with a response. Once we have processed your query we will erase your query after a maximum of twelve months unless we have a legal obligation to retain it. The administrative process of responding to enquiries is a legitimate interest activity which is necessary for the effective operation of our business.
When you apply for a job
When you apply for a job we process the information that you provide in your application. This includes all of the details on your CV and any supporting information that you provide. For most candidates this will include the following attributes; name, contact details, work experience, qualifications, salary expectations, date available and job title.
How this data is processed will depend upon whether you apply directly or through an agency.
Where an agency provides us with your details they and People’s Postcode Lottery will be data controllers in relation to your data. Where you apply directly People’s Postcode Lottery is the data controller in respect of the data you provide.
We will store your data and use it to administer our recruitment process while we are considering your candidacy. If you become an employee these records will be incorporated into your personnel file and held in line with our normal retention period for employment files which is six years from the time that your employment with us ends. Unsuccessful applicant’s details are held on file for six months after which they are deleted. We have a legitimate interests in the recruitment of new team members.
We collect your personal data when you ask to be added to our careers alerts service.
We collect the following personal data:
- Your email address
- Your alert preferences
- Your fields of interest
We will only send you these emails where you have requested that we do so by signing up for these alerts you have given your consent to receive these alerts.
Journalists and corporate contacts
We use publicly available lists of media industry contacts. In other areas of our business we maintain address books and contact details for our commercial, third sector and other contacts. We use these records to issue commercial correspondence and administer our commercial and other stakeholder relationships. These are legitimate interests activities.
Our public affairs team keep records of their meetings with elected officials. This allows us to ensure the accuracy and relevance of our communications with this stakeholder group. We do not record any information about special category political opinions of our stakeholders beyond the titles or positions they hold or information which has already been made public by those individuals in the performance of their public functions.
We monitor the information and traffic on our corporate systems.
We use Security Information and Event Management software (SIEM) to monitor signs of suspicious online activity, including malware and the inappropriate transmission of data.
As part of our commitment to Social Responsibility, we may review and monitor your behaviour if you interact with us via social media for the purpose of identifying those who may be considered vulnerable and at a greater risk of experiencing any harm associated with gambling. We may process personal data and special category data for this purpose and do so on the basis that processing is necessary for reasons of substantial public interest to safeguard the interests of our players and others who interact with us.
All calls coming into and outgoing from our call lines and our multimedia channels are recorded and are monitored from time to time for quality, analysis and compliance reasons. We carry out these activities because we have a legitimate interest in maintaining the quality of the service that our customer experience team provides to the public and to ensure that our training and procedures are relevant to the issues our employees face when handling calls. We have a legitimate interest to do this because it helps us to achieve our objectives and ensure that we meet the call quality and performance standards that we have set.
We share data with a number of organisations. The categories of recipients of data include:
- We share data of commercial contacts to facilitate their attendance at events with the charities and promoting societies that we support
- We share data with our professional legal advisers where necessary. We have a legitimate interest to do this to ensure that our business complies with the law and that the business has access to appropriate advice on any disputes
- We share information with our sister lotteries and Novamedia, to better collaborate across the group and for strategic planning, events and travel.
We operate pages on Twitter, LinkedIn and Glassdoor. If you are a user of those services you can contact us publicly or in a direct message and share information with us on those pages if you wish to. We use aggregated statistical outputs from posts on social media to analyse customer service issues that may be affecting our customers and to ensure that we are dealing efficiently with such issues. We may also use pseudonymised individual comments in our reporting to highlight specific issues affecting our customers and our reputation. We will keep a record of that information for one year. You should be aware that this retention only applies to the records we keep it does not apply to retention of the data on the social media platform which will separately apply retention to the data in line with its own policies.
Where you interact with us on social media, personal data may be collected by the platform provider with whom you have an account who may use it independently from us. We have no control over and accept no liability for how they use your personal data. You can access more information about how they use data gathered from their websites here:
When using social media platforms you should familiarise yourself with their Privacy Notices and how they use your data, for more detail see social media.
What we do with your personal data
In this section we will explain how we process your personal data and the legal basis for doing so. We will also explain what a data controller and a data processor is. We have tried to use plain English wherever possible but it is important you understand what these legal terms mean.
What is a data controller?
People's Postcode Lottery is a data controller. That means we are responsible for determining what happens to the personal data we collect, including how we process it. As a data controller we are also responsible for monitoring and approving the data processors we pass your personal data to.
What is a data processor?
People's Postcode Lottery use data processors to provide personal data processing services. A data processor carries out processing on behalf of a data controller. We might employ the services of another company to carry out data processing for us. As an example we (the data controller) might ask another company (the data processor) to send you an email or letter. We would need to give that company your contact details so they know where to send the letter.
What is a legal basis to collect and process personal data?
There are a number of legal bases that a data controller can use to process or share personal data.
The legal bases People's Postcode Lottery rely on to process your personal data follow in the next sections.
Consent means you have given us clear and informed permission to process your personal data. Consent is a legal basis to process personal data. An example might be you have asked us to send you promotional materials. Remember, you can withdraw your consent at any time.
Legal and regulatory
Sometimes we have a legal or regulatory obligation to process your personal data. That might include conditions relating to our operating licence (issued by the Gambling Commission) and to other relevant laws such as employment laws which apply to our process for recruitment.
Sometimes we have a legitimate interest to process your personal data. Where we use legitimate interest to process your personal data we will ensure that our legitimate interests are proportional and do not compromise your personal data rights. You can object to us processing your data for legitimate interests at any time. In some circumstances we may continue to process your personal data using legitimate interests where we can demonstrate that our interests override your right to object.
Other ways we use legitimate interest to process your personal data
We process your personal data as part of our normal business functions. We have a legitimate interest in doing so. Those activities include:
The operation and testing of our information technology systems.
- Admin functions and organisational processes including the provision of insurance for our activities
- Analysis and monitoring for business planning
- To meet our corporate social responsibility obligations
- Communications activity and events administration
International transfer of your personal data
We may transfer some of your personal data outside of the EEA (European Economic Area).
We will only do that where:
- A country is deemed adequate by the European Commission or it is covered by the privacy shield
- We use standard European Commission approved contracts
If you have any questions about this data privacy notice or would like additional clarification, please contact firstname.lastname@example.org.
Please note that where you interact with us or provide personal data to our social media pages using your social media accounts this may result in the processing of your personal data outside the European Economic Area by the relevant social media platform.
The basis upon which any such personal data may be transferred outside the EEA is determined by the platform provider. You can access more information about how the hosts of our current social media accounts use data gathered from their websites.
The personal data we collect and process when you visit our website
How we monitor your activity on our website
It is important to us that we give our website visitors the best possible experience when they use our site. We use a number of tools to help us monitor activity on our website. We use consent as the legal basis to collect and process this data.
What are cookies?
Cookies are small data files that are downloaded to your computer when you visit our websites. Cookies help us manage how our website operates, understand how you use our website and to help us improve our marketing activity. The length of time a cookie is stored on your device can vary depending on the purpose of the cookie.
Some cookies are necessary to enable our website to operate. These cookies do not rely on your consent because they are required for the function of our website.
Session cookies are temporary cookies that are downloaded to your device’s temporary memory. They have no expiration date and are typically erased when you close your web browser but some can persist longer. When you continue to browse our website you are giving your consent to the use of these cookies.
Persistent cookies are downloaded to your computer so that when you close your browser they remain on your computer. Persistent cookies have an expiration date. When you continue to browse our website you are giving your consent to the use of these cookies.
Where we use 3rd party social media sites these sites may also set analytics cookies which can result in those sites processing data about your visit.
How these cookies are set and what information they gather is determined by the social media platforms. They use the information from cookies to provide us with anonymous statistical information about visitors to our pages on their sites. Depending upon your browser settings these cookies may be set on your device this can occur regardless of whether you have an account on the platform or not.
We have public pages on LinkedIn and Twitter you can access more information about how they use data gathered from their websites:
What type of cookies do we use?
What it does/why it's used
Keeps track of your cookie preferences so remove need to update every visit.
To hide the Cookie Message from future visits otherwise the Cookie message will show to returning visitors every time they come to the site.
What it does/why it's used
These cookies are created by Google Analytics and help us identify ways to improve our website and visitor journeys.
We will only download functional cookies without your consent. If you wish to withdraw your consent for any other cookies, you can do so using the functionality on the Manage Cookies web page. This link is also found in the footer section of every web page.
Your Personal Data Rights
Under GDPR (the General Data Protection Regulations) you have a number of personal data rights you can exercise over your personal data. We will explain those rights and how you can exercise them here.
Your right to be informed
We believe it is important that you fully understand what we do with your personal data. This is known as the right to be informed. This privacy notice gives detailed information about the type of personal data we collect, how we process that data, and how we share that data with data processors and other data controllers. We will inform you:
- Of your data protection rights
- When we share your personal data with data processors or other data controllers
- If we send your personal data outside of the EU
- Of the purpose of and legal basis for our processing
- About the implications of not providing personal data we have requested under a contractual or legal requirement
- How to withdraw consent you have given previously
- About any profiling activity we conduct which results in automated decision making.
- This is explained in more detail in your right to object to profiling
- About your right to complain to the information commissioner
- About the length of time we retain your personal data for and the reasons we do
- If we want to change the way we process your personal data we will inform you beforehand and give you an opportunity to object
- If and how we obtained your personal data from a third party
- Consent can be withdrawn if you choose
You can withdraw your consent at any time by calling 0800 368 5556 or by emailing email@example.com.
Your right to correct personal data we hold
Although we make every effort to ensure your personal data is complete, up-to-date and accurate we recognise that sometimes mistakes happen. You can ask us to correct your personal data at any time. This is known as the right to rectification.
You can ask us to amend your personal data by emailing firstname.lastname@example.org.
Your right to access your personal data
You have the right to ask for a copy of your personal data and any special category data we hold. You can also request copies of any personal data and special category data we have shared with our data processors and any other data controllers. There are many reasons you might request a copy of your personal data:
- You would like to check the details we hold to correct any inaccuracies
- To ensure we are processing your data lawfully
- To make a Subject Access Request (SAR). This is a specific request to get a copy of the personal data we use, our data processors and any joint data controllers hold. Data will be provided in a user-friendly secure format. See data portability.
- Personal data we use, our data processors and any joint data controllers hold. Data will be provided in a user-friendly secure format. See data portability.
You can ask us for a copy of your personal data by contacting People's Postcode Lottery's data protection officer at 28 Charlotte Square, Edinburgh, EH2 4ET or by email at email@example.com.
The more information you provide when you make your request the sooner we will be able to respond. We aim to provide the data requested within thirty days but more complex requests may take longer (up to three months). We will let you know if we believe your request could take longer to respond to than one month.
We will not charge you for making an access request unless we have already provided the personal data you ask for. In those cases we will provide new information only. We may decline excessive requests or unfounded requests (or charge a small fee to provide the information) but we will always make it clear why we believe that to be the case. In unusual cases we may decline a request because the data requested contains personal data about someone else and we consider that their rights may be compromised by the request.
Your right to object to processing
You might not want us to process your personal data in a certain way or for a specific reason and can ask us not to where we use legitimate interests as the legal basis for processing. What does that mean in plain English? When we are using legitimate interests as the basis for processing your personal data, you can ask us not to do this at any time. If we want to continue to process the data we must be able to show that our continued processing is not detrimental to your interests.
Your right to object to profiling
What do we mean by profiling? Profiling is the way we use data to better understand our players. Some of this is carried out by us or by our data processors. This helps us to provide a better lottery experience and service for players.
We use data supplied by a third party data processor to append data to your personal data when you join the lottery. We do this to better understand our players and improve our services. We may also use profiling for matters such as checking players are sixteen years or over, the identity of our players, and that the bank details that have been provided are correct.
If you would prefer us not to use your personal data for a specific profiling activity, you can ask us not to by contacting firstname.lastname@example.org or 0800 368 5556.
The more information you provide when you make your request the sooner we will be able to respond. We aim to provide the data requested within one month days but more complex requests may take longer (up to three months). We will let you know if we believe your request could take longer to respond to than one month.
Your right to erasure
We recognise that sometimes you'd rather we erase some or all of the personal data we hold. This is known as the right to erasure. You might ask us to do this where:
- We no longer need the data for the purpose it was gathered
- You gave us consent but want to withdraw that consent
- You object to the automated processing we carry out
- We have processed your data unlawfully
- We have a legal requirement to erase your personal data.
The more information you provide when you make your request the sooner we will be able to respond. We aim to provide the data requested within thirty days but more complex requests may take longer (up to three months). We will let you know if we believe your request could take longer to respond to than one month. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which we will tell you about at the time of your request. For example, we may decline a request to delete your data where we still need to retain it to meet our regulatory obligations and we require to retain it in line with our regulatory retention periods.
Your right to restrict processing
You have the right to ask us to restrict the way we process your personal data. You can ask us to restrict the ways in which we process your personal data because:
- You believe the personal data we hold is inaccurate and you'd like us to stop
Processing your personal data until it has been corrected
- You believe your personal data has been unlawfully processed and you would like us
to restrict our processing while we investigate
- You may not need the personal data any more but you would like us to retain it while a
legal claim is in process
You can ask us to amend your personal data by contacting email@example.com or call 0800 368 5556.
The more information you provide when you make your request the sooner we'll be able to respond. We aim to provide the data requested within one month but more complex requests may take longer (up to three months). We'll let you know if we believe your request could take longer to respond to than one month or if we are unable to comply with it for legal reasons.
Your right to move your personal data
If you want a copy of your personal data that you would like to give to someone else, you can ask us to give you that data in a common, user-friendly and secure format. We can send your personal data directly to you or to a third party you specify. This is known as your Right to Portability.
You should be aware that asking for a copy of your personal data does not mean we will erase that data unless you specifically ask us to. You can find more about on erasure in your Right to Erasure.
You can ask us for a copy of your Personal Data by contacting the Lottery's data protection officer at 28 Charlotte Square, Edinburgh, EH2 4ET or by email at firstname.lastname@example.org or call 0800 368 5556.
The more information you provide when you make your request the sooner we will be able to respond. We aim to provide the data requested within one month but more complex requests may take longer (up to three months). We will let you know if we believe your request could take longer to respond to than one month.
Consent can be withdrawn if you choose
Your right to complain
We pride ourselves on our high standards of customer service. Even with the best intentions and training we recognise that we may sometimes fall short of your expectations. If you are a player and want to complain about the way we undertake activities under our licence from the Gambling Commission, this may be dealt with through our complaints procedure.
If your complaint relates to your personal data you can contact our Data Protection Officer at 28 Charlotte Square, Edinburgh, EH2 4ET or by emailing email@example.com if you remain unsatisfied with our handling of your complaint you can complain to the Information Commissioner's Office (ICO).
If your complaint relates to your personal data you can complain to the Information Commissioner's Office (ICO). You can find out more about that right and the process at www.ico.org.uk or by writing to the ICO at:
Information Commissioner's Office
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
Fax: 01625 524 510
Your right to be informed if your personal data is compromised
In the unlikely event that the personal data we hold is breached or compromised in a significant way that would be a high risk to your rights and personal freedoms, we will contact you without delay to let you know:
- What happened and how it happened
- What data was affected and what that means to you
- What we are doing about it and how you can stay informed
- How you contact our data protection officer
How we keep your personal data safe
At People's Postcode Lottery information security is very important to our business. We are fully committed to ensuring information security, confidentiality, and integrity and we undergo annual security audits by the Gambling Commission.
Our commitment to protecting your personal data
People's Postcode Lottery hold BSI BS10012 certification. Our BSI certification demonstrates our commitment to collecting and processing personal data to the highest standards.
How we minimise risk
People's Postcode Lottery hold ISO 27001 Certification. This certificate indicates we have established the legal, physical and technical controls to minimise data security risk.
Our approach to cyber security
People's Postcode Lottery hold Cyber Essentials certification. This certificate demonstrates our commitment to cyber security.
The information you send us online
The methods we use to ensure data is safeguarded while being sent over the internet are industry-standard. When information reaches us we store it securely and only provide access to authorised personnel or data processors.
How we restrict data access to your personal data
People's Postcode Lottery maintains strict physical, electronic and administrative safeguards to protect your personal data from unauthorised or inappropriate access. Personal data collected by us is stored in secure operating environments that are not accessible by the public. In the unlikely event that an employee or a data processor misuses that information they will be liable to appropriate legal and disciplinary sanctions.
17 December 2019