Appropriate Policy Document

Appropriate lawful basis for processing SC/CO data is listed in our DPIA. Gamban ensures that users are fully informed about the collection and use of their data. At the point of sign-up, users are presented with a clear, concise explanation of:

• Why their data is being collected and how it will be used.
• The type of data being processed, including special category data related to gambling behaviours.
• The lawful bases for processing, with explicit consent obtained where required.
• The steps Gamban takes to protect their data and maintain privacy.
• The user's ability to withdraw consent at any time without affecting the legality of processing prior to withdrawal.

To further ensure fairness, Gamban allows users to manage their data preferences through the app, providing them with the ability to update or request deletion of personal information at any time. This reinforces our commitment to being open and honest, and to ensuring that users’ rights are respected.

We have clearly identified and documented the purposes for processing special category (SC) data. These are detailed in Section 3 of the DPIA. We have procedures in place to evaluate the compatibility of any new data processing purposes with the original purpose. These steps include:

1. Assessing whether the new purpose is closely related to the original purpose (e.g., improving service delivery).
2. Conducting a new Data Protection Impact Assessment (DPIA), if necessary, to evaluate the risks of the new processing activity.
3. Obtaining explicit consent from users if the new purpose is unrelated to the original purpose or involves processing special category data in a new way.

We ensure that only the minimum amount of SC/CO data necessary to achieve our specified purposes is collected. We collect behavioural data solely to provide effective gambling-blocking services and support users in managing gambling harm. We do not collect unnecessary personal data, such as financial or unrelated health information, unless explicitly required for service provision or legal compliance.We periodically review all stored SC/CO data to ensure compliance with our purposes. This includes regular audits, automated deletion policy and user-initiated deletion in place.

The majority of SC/CO data is directly provided by users during registration or via their interactions with our software. As such, we record the source of this data and allow users to verify its accuracy. Any flagged discrepancies are promptly reviewed and corrected to maintain data integrity. We ensure SC/CO data remains up-to-date and fit for its intended purpose via User-Driven updates.

Retention periods are documented in Gamban’s Section [1] of DPIA and have been reviewed to ensure they are proportionate and justifiable. We have established processes to regularly review SC/CO data and ensure that it is erased or anonymized when no longer needed, as stated in Principle © of the Appropriate Policy Document.

We conduct regular risk assessments, including through its Data Protection Impact Assessments (DPIAs) and ISO27001:2022, to evaluate the risks associated with processing SC/CO data. Our Information Security Policy outlines the controls in place for protecting SC/CO data, including access controls, encryption, incident response and staff training. The policy is reviewed annually or following any significant changes in processing activities, technology, or regulatory requirements.