1. Data controller
Veikkaus Oy (”Veikkaus”)
Business ID 2765220–1
P.O. Box 1, 01009 Veikkaus
exchange (09) 43701
Contact person in register matters
General Manager, Casino Helsinki and Casino Tampere
P.O. Box 1, 01009 Veikkaus
Tel: exchange (09) 43701
Data controller’s representative
Data Protection Officer of Veikkaus Oy
P.O. Box 1, 01009 Veikkaus
Tel: exchange (09) 43701
2. Purposes and legal basis of processing personal data
Veikkaus processes personal data associated with casino customer accounts primarily based on an agreement with the customer. Veikkaus also processes personal data based on legal requirements, consent, and legitimate interests.
The purposes of processing personal data in the casino customer registers are as follows:
- Customer due diligence and user control. Identifying, authenticating, and authorizing customers in Veikkaus’ services. Realizing the information security of the services and the management of user rights and access.
- Customer service and the operative management, control, and development of customer relations. Management of customer data and customer and contact history. Provision of support and advisory services to customers, and the management and quality assurance of the service measures.
- Carrying out Veikkaus’ operations, games, services, and payments, as well as their follow-up, analysis, reporting, development, and personalization. Assurance and management of gambling, service, and payment transactions. Verification of the gambling rights to the game service. Assurance and testing of the quality and security of the operations.
- Analysing, predicting, grouping, and developing of customer accounts. Research and statistical analyses. Targeting customer and marketing communications, developing the offerings of products and services, and business development and reporting.
- Provision and marketing of games and services, as well as realizing and monitoring of customer and marketing communications. Processing, analysing, and making statistics of customer feedback, customer enquiries and surveys. Managing communications and campaign history.
- Implementing Veikkaus’ sustainability, and preventing and mitigating the economic, social, and health-related harms caused by gambling. Implementing and monitoring the gambling restrictions and exclusions. Offering customers responsibility analyses and tools for the self-control of gambling.
- Preventing and investigating of fraud, crime, and problems.
- Ensuring the legal protection of the customers and Veikkaus and carrying out the obligations based on law and regulatory provisions and guidelines.
- Anonymization and eradication of personal data in a data secure manner.
- The recordings of customer calls are used to verify service transactions, for ensuring the legal protection of the customers and Veikkaus, for education, the development of the quality of the service, for preventing fraud, and for security reasons.
The legal basis for the processing of personal data is, depending on the purpose of the processing and/or the personal data,
- Preparing or implementing an agreement between Veikkaus and a customer,
- Compliance with a statutory obligation binding on Veikkaus,
- The customer’s consent, or
- Realization of the legitimate interests of Veikkaus or a third party.
3. Personal data in the register
The following personal data are processed in the casino operations:
• Basic data on the customers:
- Date of birth
• Contact details:
- Address in Finland (updated with the Population Information System)
- Mailing address
- Telephone number
- email address
• Identifying data on the customers:
- Personal ID number
- Customer number
- Customer card number
- Name, number, or another identifying detail of the document used for the verification of identity, the entity having issued the document, or a copy of the document.
- Passport number of a foreign customer, date and place of issue of the passport
- Photo of the customer
Data linked to the customer account
- Loyal customer information
- Any personifying data and preferences disclosed by the customer
- Records of the customer’s death
- Grouping data and other data derived by analytics on the customer
- Data disclosed in enquiries and surveys
- Direct marketing consents and refusals
Data related to gambling and service production or use:
- Game, service and payment transaction data
- Gambling transaction data
- Game purchases
- Data on claimed winnings and payouts
- Bank account number
- Currency exchange transactions
- Time of arrival at the casino
- Ban on entry or gambling
- Data concerning gambling at the casino
- Suspected or detected gambling fraud
- Data concerning disruptive behaviour
- Data concerning the prevention of fraud
- Restrictions and bans on gambling and their duration
- Participation in and purchase of tickets to events and tournaments
- Customer’s request to be contacted by Peluuri Gambling Helpline
- Information on campaigns and the related follow-up data
- Data concerning customer service transactions
- Behaviour and user information of applications and services (including web analytics, log data, cookies, and other respective tracking technology credentials, the IP address and identification data calculated based on browser and operating system data)
- Recordings of customer calls
- Information on the processing of data
- Customer feedback
By virtue of the Lotteries Act, Veikkaus also has the right to process the following personal data:
- The customers’ nationality, and information of the document proving a foreign customer’s identity.
- Photos of customers of the casinos and special gambling arcades, and data collected during the technical supervision of the special gambling arcades
- Information on a customer’s disruptive behaviour at the casino, at a special gambling arcade, or otherwise associated with gambling
- Information on suspected or proven gambling fraud
- Data on bans or restrictions concerning gambling
- Information on suspected detrimental gambling
- Customer identification data, data concerning the gambling transactions, and other data associated with Veikkaus Loyal Customer accounts
As regards these data, personal data can be processed with data from Veikkaus’ other personal file systems, including Veikkaus Loyal Customer register, whenever processing is indispensable in order to secure the legal protection of those engaging in gambling games, to prevent fraud and crime, to investigate fraud, or to prevent and mitigate the economic, social, and health-related detriments caused by gambling, as well as to carry out any measures necessary for pursuing these objectives.
4. Sources of data
The afore-cited data are primarily collected from the customers upon registration, the use of the services, and customer service. In addition, information related to the supervision of the casino operations and gambling is collected using technological devices by viewing or photographing/filming. Further, data may be collected when the customers participate in product and service development, surveys, or enquiries.
Customer data are also obtained from the Loyal Customer register controlled by Veikkaus, as well as from other personal registers concerning consumer customers and controlled by Veikkaus, to the extent to which the customers have been informed on the use of the data.
Moreover, customer data arise in Veikkaus’ data systems whenever customers use Veikkaus’ online services and gambling services. In addition to the data received from the customers and obtained as a consequence of their actions, Veikkaus receives customers’ personal data from, e.g.:
- The Population Information System
- The direct marketing restriction service provided by the Data and Marketing Association of Finland, i.e., what is known as the Robinson register.
- Data services providing descriptive information on customer relations: identifying and grouping customer data, such as cookie profiles, from other data controllers.
- Authorities, where possible by virtue of legislation.
5. Recipients of personal data
Veikkaus only transfers and discloses personal data within the limits enabled by legislation.
In its service production and other activities, Veikkaus uses processors of personal data working for and on behalf of Veikkaus. Such processors may be, e.g., companies from which Veikkaus purchases ICT services, including server space, data centre services, or other technological services associated with the casino operations. Veikkaus can also use external service providers working on behalf of it in, e.g., direct marketing activities, or maintaining the physical and technological safety at the casinos.
Veikkaus may also disclose personal data to other data controllers in service production and within the limits enabled by legislation. This may be the case when Veikkaus discloses personal data to, e.g., an independent service provider for making a hotel, travel, restaurant, or entertainment reservation in order to provide a service or to realize customer benefits.
Customer data can be transferred to Veikkaus’ other registers of personal data for the above-mentioned purposes, including Veikkaus’ Loyal Customer register, the anti-money laundering register, and the customer due diligence register.
Data can be disclosed to authorities within the limits enabled by legislation, e.g., in order to investigate and prevent fraud. Customer data can also be disclosed within the limits enabled by legislation for the purpose of scientific research.
Veikkaus’ mobile services, operated through an application downloaded by the customers, are subject to Veikkaus’ data protection policy and the conditions and data protection policy of the relevant service provider.
Read about Apple’s conditions at https://www.apple.com/legal/internet-services/itunes/fi/terms.html and Google’s conditions at http://www.android.com/terms.html.
6. Data transfer to third countries and transfer protection
Veikkaus uses subcontractors and other partners for processing personal data. In this context, customer data are processed in a controlled and limited manner outside the EU/EEA.
Veikkaus makes sure that any processing of personal data outside the EU/EEA has legal grounds for transfer and the necessary protective measures for ensuring the appropriate processing of the personal data and data protection have been taken.
The most common protective measures used by Veikkaus are:
- Decision by the European Commission on the adequacy of the level of data protection in the relevant country (GDPR 2016/679, article 45).
- Using the standard protection clauses concerning data protection issued by the European Commission (GDPR 2016/679, article 46.2c).
7. Retention period of personal data
Veikkaus only retains such data which are necessary for its operations and for the purposes of use of personal data, and for which there is a legal basis.
The retention period of personal data is determined by the purpose of processing the personal data and/or the personal data. The retention period is also affected by the legal obligations on the storage of personal data, as well as by other time limits determining the retention period (e.g., the time limit for bringing an action or the expiry period of a criminal prosecution.
Any data that have become useless in view of their purpose, any outdated data, or data for the processing of which there are not any grounds otherwise anymore, are rendered anonymous or destroyed in a secure manner. Veikkaus also eradicates personal data that have become useless in view of their purpose of use during a customer relation in connection with, e.g., marketing and the use of the online service.
8. Principles of protection of registers
Veikkaus processes personal data in a secure manner in compliance with legislation. The data security and confidentiality; the integrity, usability, and accessibility of Veikkaus’ customer data are ensured by appropriate technological and administrative means. Such means may include the pseudonymisation and encryption of personal data, protection of devices and data files, user recognition, access rights, registering of user transactions, passage control, as well as instructing and supervising the processing.
Veikkaus requires all its subcontractors to commit to secrecy and appropriate protection of personal data. Personal data are only processed by such people employed by Veikkaus or its subcontractors whose job descriptions cover the processing of the data in question. The data communications in Veikkaus’ online service are encrypted, and customers can recognize the correct address of the service by the digital certificate.
9. Automatic decisions and profiling
According to the Lotteries Act, Veikkaus can automatically assess the economic, social, and health-related risks which gambling causes to the customers and take measures, if necessary, to prevent and mitigate the risks noted in the assessments. However, any player-specific gambling bans or limitations are not imposed based on mere automatic processing of personal data.
10. Customers’ rights
Customers have the right to access their personal data or receive a copy of any personal data concerning them. However, access to certain data has been limited for reasons associated with, e.g., crime prevention and investigation. To the extent to which the processing of a customer’s personal data is based on an agreement or consent, and is automatic, the customer has the right to obtain the personal data they have submitted to Veikkaus in a machine-readable format. Veikkaus may charge the customer for the administrative costs incurred by carrying out the action requested, or it can refuse to carry out the requested action, if the request is clearly groundless or unreasonable.
Customers can request a copy of the personal data concerning them in writing. The data are basically delivered to the customer’s address verified with the Population Information System. Whilst making the request, customers shall indicate as precisely as possible what kind of data they want and what purposes they need the data for.
Customers may request rectification of erroneous or inaccurate data concerning them. They may also request the eradication of personal data which are unnecessary or outdated, if there is no legal basis for the processing of the personal data any longer. The right to request the eradication of personal data does not apply to situations where Veikkaus has the obligation to store the data by virtue of law or in order to secure the legitimate interests of Veikkaus or a third party, including the preparation, presentation, or defending of a legal claim. In such situations, Veikkaus eradicates the customer’s personal data without separate request when the retention period of the data has expired. In certain specific situations, customers have the right to request the processing of their data to be limited.
Customers can manage their direct marketing consents and bans by contacting the customer service point at the casino or Veikkaus’ customer service. Any written requests concerning personal data based on the afore-cited rights are made by submitting a signed request to: Veikkaus Oy, Kasinot/Henkilötietopyyntö, P.O. Box 1, 01009 Veikkaus. The request shall include the customer’s name, date of birth, mailing address, email address, and telephone number.
If Veikkaus assesses a customer’s personal characteristics and makes an automatic decision based on them, according to an agreement between the parties or the customer’s consent, the customer has the right to demand that the data are processed by a natural person instead of automatization. Moreover, the customer has the right to express their view on the matter and challenge the decision made by Veikkaus.
11. Right to file complaint with supervisory authority
If a customer deems that the personal data concerning them are processed in a manner that breaches the law, they have the right to file a complaint with the supervisory authority. In Finland, the supervisory authority is the Data Protection Ombudsman. For updated instructions on filing a complaint, please see the website of the Data Protection Ombudsman, www.tietosuoja.fi.