1 Who are we and what is the purpose of this Data Protection Statement?
Who are we?
We are Gala Leisure Limited, a company incorporated and registered in England and Wales with company number 00794943 and registered office is at New Castle House, Castle Boulevard, Nottingham, Nottinghamshire, NG7 1FT. Gala Leisure Limited is part of a group which also includes our subsidiary, Gala County Clubs Limited, a company incorporated and registered in Scotland with company number SC041681 and registered office at Gala Clubs Regional Office, Kerse Lane, Falkirk, FK1 1RJ (“Gala Leisure Group”).
This Data Protection Statement is issued on behalf of Gala Leisure Group. As such, any references to "Gala", "we", "us" or "our" in this Data Protection Statement are references to the relevant company (as named above) in the Gala Leisure Group which is responsible for processing your data. We will let you know which entity will be the controller for your data when you purchase a product or service with us.
What is the purpose of this Data Protection Statement?
We take your privacy very seriously. As such, we ask that you read this Data Protection Statement carefully as it contains important information about:
(a) what personal data we may collect from you;
(b) how we will use, store and protect your personal data;
(c) with whom we may share personal data; and
(d) your rights under relevant data protection laws.
It is important that you read this Data Protection Statement together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Data Protection Statement supplements the other notices and is not intended to override them.
2 What data do we collect from you?
We may collect and process the following personal data about you:
· Identity data: first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
· Contact data: billing address, delivery address, email address and telephone numbers.
· Financial data: bank account and payment card details and, in some circumstances, other details which we require in order to complete our anti-money laundering checks (such as ID documents or payslips).
· Transaction data: details about payments to and from you and other details of products and services you have purchased from us.
· Marketing and communications data: your preferences in receiving marketing from us and our third parties and your communication preferences.
· Social media data: your social media profile details (including your name, profile photo, and other information which you make available to us) when you connect with, or otherwise contact, us through a social media account.
· Sensitive personal data: such as information about your race, religion, and health (including mental health, for example, when you choose to self-exclude yourself from our services).
· Profile data: purchases made by you, your interests, preferences, feedback, and survey responses.
· When you use our website, technical data: your username and password, internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
· When you use our website, usage data: information about how you use our website, products and services.
· When you use our website, other data: any other data which you provide to us when you contact us via the live chat function on our website.
3 How do we collect data from you?
We collect your personal data in a number of ways:
· Directly: contact, financial, and identity data directly provided by you when you fill in online forms or correspond with us in any way, for example when:
o completing application forms;
o creating online accounts;
o submitting queries, including via the live chat function on our website;
o connecting with, or otherwise contacting, us through a social media account;
o requesting or consenting to marketing materials being sent to you; or
o providing us with feedback.
· Via CCTV: we use CCTV recording devices across our premises (covert or overt) in order to ensure the security of our customers, employees, buildings, and assets. This means that, while you are onsite at any of our clubs, you may be recorded by CCTV and will see signs informing you about this.
· From third parties/public sources:
o contact, financial and transaction data may be obtained from providers of credit referencing services, including those based outside the EU;
o from social media or any other publically available sources; or
· When you use our website, automatically: as you browse the Gala website certain information relating to your browsing patterns and technical data about the equipment you are using to access the website is automatically collected using cookies, server logs and other similar technologies. Please see section 8 below for further information.
4 How do we use your data?
We may use your personal data for the following purposes:
· to assess your suitability for our services;
· to provide, and seek to improve, the requested services;
· in accordance with our legitimate interests (in circumstances where your interests and fundamental rights do not override our interests);
· to manage your account with us and provide customer service, including to respond to your enquiries, fulfil any of your requests for information and/or self-exclusion, and to send you important information regarding our services and/or other technical notices, updates, security alerts, and support and administrative messages;
· for research, behaviour, and statistical analysis purposes, including to assess patterns in your spending and behaviour when using our services;
· as we believe to be necessary or appropriate:
o in order to comply with a legal obligation, such as the prevention of fraud and money laundering or the conduct of litigation. This includes where the processing is necessary for us to comply with the law;
o to enforce or apply this Data Protection Statement; and
o to protect our legitimate rights, privacy, property or safety, and/or those of a third party and your rights do not override those interests; and
· when you use our website, to personalise your experience on the Gala website.
It is important to us that we only provide you with tailored offers and promotions for services which you may want or need. You will therefore only receive such offers from us if you have consented to, and have not at any point opted out from, receiving marketing.
Opting out from receiving marketing communications from us is easy and you may do so at any time by contacting us at DPO@galaleisure.com or calling customer services on 0808 164 4456. We will process your request to be opted-out of marketing within 30 days of receipt.
We will ensure that we obtain your consent before we share your personal data with any third party company for marketing purposes.
Where you opt out of receiving these marketing communications, we may still process your personal data for other required purposes, as specified in section 5 above.
Legal bases for processing
Under data protection laws, we must have a legal basis in order to process your personal data. The legal bases on which we may process your data are:
· Consent: if you have consented for us to process your personal data for specific reasons.
· Compliance with a legal obligation: where the processing is necessary for us to comply with the law.
· Performance of a contract: in order to perform a contract we may have with you.
· Legitimate interest: in order to carry out the purposes of Gala’s business of providing online and in-club gaming services.
5 How do we keep your data?
We will not retain your personal data for longer than is necessary for the purposes for which the personal data is processed. This means that your data will only be retained for as long as it is still required to provide you with services or is necessary for legal reasons. Accordingly, we are likely to retain your data for no longer than 6 years from the date on which our contract or relationship with you terminates or expires (after which time your data will be anonymised).
When calculating the appropriate retention period for your data, we consider the nature and sensitivity of the data, the purposes for which we are processing the data, and any applicable statutory retention periods. Using these criteria, we regularly review the personal data which we hold and the purposes for which it is held and processed.
Specifically, we retain CCTV footage for a maximum of 31 days (unless there is a legitimate reason to retain it for longer), after which time the footage is deleted. If required for crime prevention purposes, we may provide footage to the police or other appropriate third parties as necessary.
When we determine that personal data can no longer be retained (or where you request us to delete your data in accordance with your right to do so (please see section 7 below for more information)), we ensure that this data is securely deleted or destroyed.
For more details about our retention periods, please contact us at DPO@galaleisure.com.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
In order to protect your personal data, we have appropriate organisational and technical security measures. These measures include restricting access to your personal data to certain employees, ensuring our internal IT systems are suitably secure, and implementing procedures to deal with any suspected data breach.
In the unlikely event of a data breach, we will take steps to mitigate any loss or destruction of data and, if required, will notify you and any applicable authority of such a breach.
6 How do we transfer your data?
Transfers to members of our group
We may share your data with other members of the Gala Leisure Group in order for them to provide services to you and for administrative purposes.
Transfers to third parties
There may be circumstances in which we may also need to share your personal data with certain third parties, including third parties located outside of the EEA.
The third parties to which we may transfer your personal data include:
Category of third party
Reason for transfer
IT, including suppliers of software (including customer relationship management and customer services software) and website support.
For the provision and maintenance of our website and IT software, and related support.
Finance, including payment processing providers.
For the provision of payment processing.
Marketing, including providers of direct mail, email, SMS, and telephone marketing services.
For the provision of marketing communications to our customers.
Analytics, including statistical analysis and research.
For the provision of data analytics services.
Operations, including providers of customer identification services, student discount cards, customer vouchers, CCTV, self-exclusion support, and photographers.
For the provision of a variety of operational services.
Our professional services providers, including providers of legal, accounting, and claims management services.
For the provision of professional services to Gala.
For the provision of identity verification services and conducting credit checks where applicable
The security of your data is important to us and we will, therefore, only transfer your data to such third parties if:
· you have expressly consented to your data being shared with specific third parties;
· the third party needs to access the personal data for the purposes of providing any contracted services to you;
· the third party has agreed to comply with Gala’s instructions, required data security standards, policies, and procedures and put adequate security measures in place;
· the transfer complies with any applicable cross border transfer restrictions and suitable safeguards have been put in place; and
· a fully executed written contract that contains suitable obligations and protections has been entered into between the parties.
As mentioned above, we will only transfer your data where suitable safeguards have been put in place. These safeguards are intended to ensure a similar degree of protection is afforded to your data wherever it may be transferred and includes:
· only transferring your personal data to countries which have been deemed to provide an adequate level of protection for personal data by the European Commission; or
· where your data will be transferred outside of the EEA, entering into specific contractual terms which have been approved by the European Commission and which give personal data the same protection as within the EEA.
For more information on the safeguards used by Gala when transferring personal data to third parties, please contact us at DPO@galaleisure.com.