1. Data controller

Veikkaus Oy (”Veikkaus”)

Business ID 2765220–1

P.O. Box 1, 01009 Veikkaus

exchange (09) 43701

Contact person in register matters

General Manager, Casino Helsinki and Casino Tampere

P.O. Box 1, 01009 Veikkaus

Tel: exchange (09) 43701

Data controller’s representative

Data Protection Officer of Veikkaus Oy

P.O. Box 1, 01009 Veikkaus

Tel: exchange (09) 43701

tietosuoja@veikkaus.fi

2. Purposes and legal basis of processing personal data

Veikkaus processes personal data associated with casino customer accounts primarily based on an agreement with the customer. Veikkaus also processes personal data based on legal requirements, consent, and legitimate interests.

The purposes of processing personal data in the casino customer registers are as follows:

The legal basis for the processing of personal data is, depending on the purpose of the processing and/or the personal data,

As regards the duties associated with the prevention and investigation of money laundering and terrorism, as well as those associated with coercive measures, the processing of personal data at the casinos is described in a separate privacy policy statement on the prevention of money laundering and on customer due diligence.

3. Personal data in the register

The following personal data are processed in the casino operations:

• Basic data on the customers:

•    Contact details:

•    Identifying data on the customers:

Data linked to the customer account

Data related to gambling and service production or use:

By virtue of the Lotteries Act, Veikkaus also has the right to process the following personal data:

As regards these data, personal data can be processed with data from Veikkaus’ other personal file systems, including Veikkaus Loyal Customer register, whenever processing is indispensable in order to secure the legal protection of those engaging in gambling games, to prevent fraud and crime, to investigate fraud, or to prevent and mitigate the economic, social, and health-related detriments caused by gambling, as well as to carry out any measures necessary for pursuing these objectives.

4. Sources of data

The afore-cited data are primarily collected from the customers upon registration, the use of the services, and customer service. In addition, information related to the supervision of the casino operations and gambling is collected using technological devices by viewing or photographing/filming. Further, data may be collected when the customers participate in product and service development, surveys, or enquiries.

Customer data are also obtained from the Loyal Customer register controlled by Veikkaus, as well as from other personal registers concerning consumer customers and controlled by Veikkaus, to the extent to which the customers have been informed on the use of the data.   

Moreover, customer data arise in Veikkaus’ data systems whenever customers use Veikkaus’ online services and gambling services. In addition to the data received from the customers and obtained as a consequence of their actions, Veikkaus receives customers’ personal data from, e.g.:

5. Recipients of personal data

Veikkaus only transfers and discloses personal data within the limits enabled by legislation.

In its service production and other activities, Veikkaus uses processors of personal data working for and on behalf of Veikkaus. Such processors may be, e.g., companies from which Veikkaus purchases ICT services, including server space, data centre services, or other technological services associated with the casino operations. Veikkaus can also use external service providers working on behalf of it in, e.g., direct marketing activities, or maintaining the physical and technological safety at the casinos.   

Veikkaus may also disclose personal data to other data controllers in service production and within the limits enabled by legislation. This may be the case when Veikkaus discloses personal data to, e.g., an independent service provider for making a hotel, travel, restaurant, or entertainment reservation in order to provide a service or to realize customer benefits.

Customer data can be transferred to Veikkaus’ other registers of personal data for the above-mentioned purposes, including Veikkaus’ Loyal Customer register, the anti-money laundering register, and the customer due diligence register.

Data can be disclosed to authorities within the limits enabled by legislation, e.g., in order to investigate and prevent fraud. Customer data can also be disclosed within the limits enabled by legislation for the purpose of scientific research.

Veikkaus’ mobile services, operated through an application downloaded by the customers, are subject to Veikkaus’ data protection policy and the conditions and data protection policy of the relevant service provider. 

Read about Apple’s conditions at  https://www.apple.com/legal/internet-services/itunes/fi/terms.html and Google’s conditions at http://www.android.com/terms.html.

6. Data transfer to third countries and transfer protection

Veikkaus uses subcontractors and other partners for processing personal data. In this context, customer data are processed in a controlled and limited manner outside the EU/EEA.

Veikkaus makes sure that any processing of personal data outside the EU/EEA has legal grounds for transfer and the necessary protective measures for ensuring the appropriate processing of the personal data and data protection have been taken.

The most common protective measures used by Veikkaus are:  

7. Retention period of personal data

Veikkaus only retains such data which are necessary for its operations and for the purposes of use of personal data, and for which there is a legal basis.  

The retention period of personal data is determined by the purpose of processing the personal data and/or the personal data. The retention period is also affected by the legal obligations on the storage of personal data, as well as by other time limits determining the retention period (e.g., the time limit for bringing an action or the expiry period of a criminal prosecution.  

Any data that have become useless in view of their purpose, any outdated data, or data for the processing of which there are not any grounds otherwise anymore, are rendered anonymous or destroyed in a secure manner. Veikkaus also eradicates personal data that have become useless in view of their purpose of use during a customer relation in connection with, e.g., marketing and the use of the online service.

8. Principles of protection of registers

Veikkaus processes personal data in a secure manner in compliance with legislation. The data security and confidentiality; the integrity, usability, and accessibility of Veikkaus’ customer data are ensured by appropriate technological and administrative means. Such means may include the pseudonymisation and encryption of personal data, protection of devices and data files, user recognition, access rights, registering of user transactions, passage control, as well as instructing and supervising the processing.

Veikkaus requires all its subcontractors to commit to secrecy and appropriate protection of personal data. Personal data are only processed by such people employed by Veikkaus or its subcontractors whose job descriptions cover the processing of the data in question. The data communications in Veikkaus’ online service are encrypted, and customers can recognize the correct address of the service by the digital certificate.

9. Automatic decisions and profiling

According to the Lotteries Act, Veikkaus can automatically assess the economic, social, and health-related risks which gambling causes to the customers and take measures, if necessary, to prevent and mitigate the risks noted in the assessments. However, any player-specific gambling bans or limitations are not imposed based on mere automatic processing of personal data.

10. Customers’ rights

Customers have the right to access their personal data or receive a copy of any personal data concerning them. However, access to certain data has been limited for reasons associated with, e.g., crime prevention and investigation. To the extent to which the processing of a customer’s personal data is based on an agreement or consent, and is automatic, the customer has the right to obtain the personal data they have submitted to Veikkaus in a machine-readable format. Veikkaus may charge the customer for the administrative costs incurred by carrying out the action requested, or it can refuse to carry out the requested action, if the request is clearly groundless or unreasonable.   

Customers can request a copy of the personal data concerning them in writing. The data are basically delivered to the customer’s address verified with the Population Information System.  Whilst making the request, customers shall indicate as precisely as possible what kind of data they want and what purposes they need the data for.

Customers may request rectification of erroneous or inaccurate data concerning them. They may also request the eradication of personal data which are unnecessary or outdated, if there is no legal basis for the processing of the personal data any longer. The right to request the eradication of personal data does not apply to situations where Veikkaus has the obligation to store the data by virtue of law or in order to secure the legitimate interests of Veikkaus or a third party, including the preparation, presentation, or defending of a legal claim. In such situations, Veikkaus eradicates the customer’s personal data without separate request when the retention period of the data has expired. In certain specific situations, customers have the right to request the processing of their data to be limited.

Customers can manage their direct marketing consents and bans by contacting the customer service point at the casino or Veikkaus’ customer service. Any written requests concerning personal data based on the afore-cited rights are made by submitting a signed request to: Veikkaus Oy, Kasinot/Henkilötietopyyntö, P.O. Box 1, 01009 Veikkaus. The request shall include the customer’s name, date of birth, mailing address, email address, and telephone number.  

If Veikkaus assesses a customer’s personal characteristics and makes an automatic decision based on them, according to an agreement between the parties or the customer’s consent, the customer has the right to demand that the data are processed by a natural person instead of automatization. Moreover, the customer has the right to express their view on the matter and challenge the decision made by Veikkaus.

11. Right to file complaint with supervisory authority

If a customer deems that the personal data concerning them are processed in a manner that breaches the law, they have the right to file a complaint with the supervisory authority. In Finland, the supervisory authority is the Data Protection Ombudsman. For updated instructions on filing a complaint, please see the website of the Data Protection Ombudsman, www.tietosuoja.fi.