English Gambling Education Mark Logo
English Gambling Education Mark Logo

Privacy Policy

Policy Number 68
Organisation Ygam
Policy owner Director of Digital & QA
Date agreed by SLT 10 August 2023
Review Date 31 August 2024

1. Scope

This notice applies to all those whose data is processed by Ygam when it is acting as data controller.

Ygam also operates as English Gambling Education Hub and Safer Gambling Training. Where we use these names, your data is processed as per the table below with Ygam as the data controller. The EGEH is also used by Gamcare which is a separate organisation. For information on how they use your personal data, please reference their Privacy Notice (Gamcare website)

If you have any queries about these processes or how Ygam processes your personal data, please contact the Director of Digital & QA at dataprotection@ygam.org.

2. Responsibilities

The Director of Digital & QA is responsible for ensuring that all potential data subjects have sight of this notice prior to the collection and/or processing of their personal data by Ygam.

If you have any queries about these processes or how Ygam processes your personal data, please contact the Director of Digital & QA at dataprotection@ygam.org

All employees of Ygam who interact with data subjects are also required to ensure that this notice is brought to the attention of all data subjects, securing their consent for the processing of their personal data, where necessary.

3. Summary information about Ygam data processing activities as a data controller

Table 1 below sets out the personal data processing that Ygam undertakes as a data controller. The table includes information about the categories of personal data processed in each case, the lawful basis relied on in each case, third parties involved and data retention applied.

4. How is data collected?

Ygam primarily collects personal data from data subjects either through direct registration for training, through the website, or directly from suppliers.

Ygam also receives personal data from third parties such as conference organisers or directly from organisations who send lists of attendees to us. For lead generation Ygam collects personal data from websites such as LinkedIn or through web searches. Ygam may also get referrals. Personal data relating to donations and gift aid is received from PayPal and JustGiving.

When we receive data from third parties such as conference organisers, we conduct the correct due diligence, risk assessments, and balancing tests to ensure that we are processing the data legally.

We do not make decisions based solely on automated processing, including profiling.

 

5. Lawful basis

To store and process personal data, Ygam relies on four lawful bases:

· where you have given consent - UK GDPR, Art. 6 (1) (a)

· for the performance of a contract with you or to take steps at your request before entering into a contract - UK GDPR, Art 6 (1) (b)

· to comply with our legal and regulatory obligations - UK GDPR, Art 6 (1) (c)

· for our legitimate interests or those of a third party - UK GDPR, Art. 6 (1) (f)

The application of a specific lawful basis to a specific processing activity is set out in table 1 above.

 

6. Change of purpose

Ygam will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will obtain consent where we must and, if we do not, we will explain the legal basis which allows us to process your personal information for this unrelated purpose.

 

7. Providing your personal data to others

Your information may be shared internally but access is restricted to people who need it.

We also routinely share personal data with:

· our CRM system, Salesforce

· our provider of accounting software, Xero

· third parties we use to help enable our organisation to run effectively, e.g, software providers (Microsoft), IT support providers (Qlic IT), delivery companies

· other third parties we use to help us run the charity, e.g. form providers (JotForms), email marketing providers (MailChimp), consultants, web training platform (Moodle) or website hosts

· our insurers and brokers

· our trustees

· our funders

· our bank

 

We only allow those organisations and individuals to handle your personal data if we are satisfied that they take appropriate measures to protect your personal data. We also impose contractual obligations on them to ensure they can only use your personal data to provide services to us and to you.

 

We or the third parties mentioned above occasionally also share personal data with:

· our and their external auditors, e.g. in relation to the audit of our or their accounts, in which case the recipient of the information will be bound by confidentiality obligations;

· our and their professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations;

· law enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations.

 

We do not allow our third-party service processors to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

In addition to the specific disclosures of personal data set out in this section, we may also disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or to protect your vital interests or the vital interests of another natural person.

Our cookie policies are available on our websites and includes information on potential data controllers that may receive your cookie data.

 

8. Transferring your personal data out of the UK and EEA

Countries outside the EEA and the UK have differing data protection laws, some of which may provide lower levels of protection of privacy.

We generally do not transfer your personal data to countries outside of the UK or EEA but sometimes it is necessary for us to do so. In those cases, we will comply with applicable UK and EEA laws designed to ensure the privacy of your personal data.

As we are based in the UK, we will also transfer your personal data from the EEA to the UK.

Under data protection laws, we can only transfer your personal data to a country outside the UK/EEA where:

· in the case of transfers subject to UK data protection law, the UK government has decided the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy regulation’) further to Article 45 of the UK GDPR.

· in the case of transfers subject to EEA data protection laws, the European Commission has decided that the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy decision’) further to Article 45 of the EU GDPR.

· there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you; or

· a specific exception applies under relevant data protection law.

Where we transfer your personal data outside the UK, we do so on the basis of an adequacy regulation or (where this is not available) legally-approved standard data protection clauses recognised or issued further to Article 46 (2) of the UK GDPR. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time, we will not transfer your personal data outside the UK unless we can do so on the basis of an alternative mechanism or exception provided by UK data protection law and reflected in an update to this policy.

Where we transfer your personal data outside the EEA we do so on the basis of an adequacy decision or (where this is not available) legally-approved standard data protection clauses issued further to Article 46 (2) of the EU GDPR. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time we will not transfer your personal data outside the EEA unless we can do so on the basis of an alternative mechanism or exception provided by applicable data protection law and reflected in an update to this policy.

 

9. Retaining and deleting personal data

Your personal data is securely stored.

We keep most of your data for 6 years from the date of your last interaction with us. The exceptions are:

· Reporting data which we keep for 2 years from the date of the report;

· Donor, gift aid and purchasing date, which we keep for 6 years from the end of the financial year in which it was paid; and

· Cookie data which is kept for various durations depending on the cookie (see cookie policy for more information).

At the end of the relevant retention period, we securely destroy or anonymise the data and do not use it for any other purposes.

Retention information can be found in the table above.

 

10. Your rights

Under the UK GDPR, you have rights including:

· Your right of access - You have the right to ask us for copies of your personal information.

· Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

· Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.

· Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.

· Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.

· Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

· The right to withdraw consents - If you have provided us with a consent to use your personal data you have a right to withdraw that consent easily at any time. You may withdraw consents by emailing dataprotection@ygam.org. Withdrawing a consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

You may exercise any of your rights in relation to your personal data by writing to the Director of Digital & QA, email dataprotection@ygam.org.

 

11. Cookies

Ygam’s websites use cookies, a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.

See our cookie policies on our websites for more information.

 

12. Our details

We are the Young Gamers and Gamblers’ Education Trust (Ygam). We are a company registered in England and Wales with company number 09189998 and we are a registered charity in England and Wales under registration number 1162425.

We are registered at the Information Commissioner’s Office (ICO) under registration number ZA125536.

Our registered office is at:

71-75 Shelton Street,

Covent Garden,

London,

WC2H 9JQ

You can contact us:

· by post, using the postal address above

· using our website contact form

· by telephone, on 0203 837 4963

· by email, on hello@ygam.org (please note, if your request is regarding a Data Protection query, please use dataprotection@ygam.org).

You may exercise any of your rights in relation to your personal data by contacting the Director of Digital & QA at dataprotection@ygam.org.

You can also complain to a data protection supervisory authority if you are unhappy with how we have used your data. In the UK, the data protection supervisory authority is the ICO. The ICO can be contacted using the following contact details:

 

The ICO’s address:

Informatioissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline number: 0303 123 1113 ICO website: https://www.ico.org.uk

 

13. Review

A formal review of this policy will take place every 3 years unless there is a notable change in relevant legislation or business need which triggers a review before that time.

Cookie Policy

Effective Date: 02-Aug-2023
Last Updated: 25-Aug-2023

What are cookies?

How do we use cookies?
Types of Cookies we use

Manage cookie preferences

Cookie Settings

You can change your cookie preferences any time by clicking the above button. This will let you revisit the cookie consent banner and change your preferences or withdraw your consent right away.

In addition to this, different browsers provide different methods to block and delete cookies used by websites. You can change the settings of your browser to block/delete the cookies. Listed below are the links to the support documents on how to manage and delete cookies from the major web browsers.

Chrome: https://support.google.com/accounts/answer/32050

Safari: https://support.apple.com/en-in/guide/safari/sfri11471/mac

Firefox: https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox?redirectslug=delete-cookies-remove-info-websites-stored&redirectlocale=en-US

Internet Explorer: https://support.microsoft.com/en-us/topic/how-to-delete-cookie-files-in-internet-explorer-bca9446f-d873-78de-77ba-d42645fa52fc

If you are using any other web browser, please visit your browser’s official support documents.