Privacy policy

I. Responsibility for data processing

Swisslos Interkantonale Landeslotterie Genossenschaft (Swisslos) is responsible for processing your data.

If you have any questions or suggestions with regard to data protection, you may contact our Data Protection Officer, Ms Laura Grüter Bachmann, at any time, either by phone on 0848 877 855, or by post at:

Swisslos Interkantonale Landeslotterie

Data Protection Officer

Lange Gasse 20

4002 Basel

or via e-mail at: datenschutz@swisslos.ch.

For natural persons ordinarily resident in the countries of the European Union (incl. the Principality of Liechtenstein) and for the country-specific supervisory authorities provided for in accordance with the General Data Protection Regulation (GDPR), we hereby appoint as EU data protection officer pursuant to Art. 27 GDPR the following person:

EU data protection representative pursuant to Art. 27 GDPR:

e-comtrust international ag

Zweigniederlassung Bremen

EU-Datenschutzvertreter

Achterdiek 28 b

D-28359 Bremen

Tel. 0049 (0)421 849 198 00

info@eu-datenschutz-vertreter.ch

http://www.eu-datenschutz-vertreter.ch/kontakt/

II. General information about data processing

1. Legal bases

Currently, the basis for the processing of personal data by Swisslos is the Gaming Contract, which is concluded between Swisslos and a game participant if

• the player is registered and has confirmed acceptance of the Terms and Rules and Rules of Play in force for the respective product as well as the Terms and Rules for Internet Games;
• the stake for the respective transaction or play request has been placed;
• the participation transaction data have been transferred to Swisslos, the product has been bought, participation has been recorded on the Swisslos servers in accordance with the regulatory provisions and
• a corresponding entry confirmation ticket has been generated on the Internet Gaming Platform (ISP).

Art. 6 para. 1 b) of the GDPR thus comes into effect as the legal basis for the processing of personal data.

Further, Swisslos is authorized and required to collect personal data and, if necessary, notify the supervisory authorities pursuant to Art. 6 para. 1 c) GDPR and on the basis of the following legal provisions:

• Art. 51 of the Federal Act on Gambling (GamblA) of 29 September 2017 and Art. 41 of the Implementing Ordinance governing gambling of 7 November 2018
• Art. 46ff. Implementing Ordinance
• Art. 64 para. 3 GamblA and Art. 73f. Implementing Ordinance
• Art. 67f. GamblA and Art. 3ff. of the FDJP ordinance on due diligence requirements to be met by organizers of major gaming events in order to combat money laundering and the financing of terrorism (GwV-EJPD) of 7 November 2018, Art. 9f. GwV-EJPD and Art. 7 Anti-Money Laundering Act (AMLA) of 10 October 1997 in conjunction with Art. 23 GwV-EJPD
• Art. 78 para. 2 GamblA
• Art. 82 GamblA and Art. 85 of associated Implementing Ordinance
• Art. 109 GamblA

Furthermore, the legal basis for the processing of personal data arises from Art. 6 para. 1 a) and f), and especially explicit consent from our customers to process the personal data pertaining to them for one or more specific purposes.

2. Scope of processing of personal data

Our processing of our customers' personal data is restricted to those data that are required to provide a well-functioning website as well as our content and services. Our customers' personal data are processed solely for the purposes agreed with them or if another legal basis exists (within the scope of the GDPR or Swiss data protection legislation). This may arise, for example, from technical necessity, contractual or legal requirements, or prevailing interests, i.e. for legitimate reasons, or if you expressly consent. Only those personal data which are actually required for the execution and management of our duties and services are collected, such as managing the customer relationship, providing our services, managing our games and contracts, complying with legal requirements, sales and payment transactions, responding to questions and concerns, information about our products and services as well as their marketing, and support for technical issues.

3. Your rights

Rights of the person affected (data subject rights)

You have the right to request information about your personal data which is processed by us within the framework of the data protection legislation applicable to you and to the extent given therein (such as in the case of the GDPR). In particular, you may request information about the purposes of processing, the categories of the personal data, the categories of recipients who are or were provided with your data, the planned retention period, the existence of a right to the rectification, deletion or restriction of processing, the origin of your data if this was not collected by us, as well as the existence of an automated decision-making tool, including profiling.

Right to object

If you have expressly consented to the use of your personal data, you also have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data pertaining to you based on Art. 6 para. 1 f) of the GDPR.

The responsible party will no longer process the personal data unless they can demonstrate compelling legitimate reasons for the processing which override the interests, rights and freedoms of the affected person, or for the assertion, exercise or defence of legal claims.

If you believe that the processing of your personal data by us contradicts the applicable data protection provisions, you may complain to the data protection authority. The responsible data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch). In Liechtenstein, this is the Liechtenstein Data Protection Authority (https://www.datenschutzstelle.li).

Exercising these rights requires you to clearly prove your identity (e.g. with a copy of identification if your identity is not clear or cannot be verified). You may contact us at the address provided in Section I. to assert your rights.

Right to object

If and to the extent that you have consented to Swisslos processing your data with a corresponding declaration, you may revoke your consent for the future at any time. For newsletters, etc. you can revoke this consent yourself by clicking on the unsubscribe link or in your game account under "Newsletter".

4. Retention period of your data

Your data are deleted once they are no longer required to fulfil the purpose for which they were collected (e.g. as part of a contractual relationship). Data will be blocked rather than deleted if legal or actual obstacles prevent the data from being deleted (for example, statutory retention obligations in accordance with the Swiss Code of Obligations or special legislation).

III. Description and scope of data processing

1. Data collection at the point of registration and when purchasing services

For regulatory and contractual reasons, access to the chargeable offerings on the Internet Gaming Platform provided by Swisslos (website, apps) is only possible by registering and thus opening a customer account. To do so, we require the following personal details:

• Title
• Last name, first name
• Date of birth
• Address
• Canton
• E-mail address
• User name
• Password
• Language
• Copy of identification (ID card, residence permit or driving licence)

We retain these data for as long as you have a customer account and until the statutory retention periods have expired.

When you purchase and/or play with products on the Internet Gaming Platform, in addition to the data required for registration – depending on the product or service – we collect the following data:

• Gaming transactions (participation, winnings, cancellations)
• Date and time of access
• Purchase date and duration of subscriptions incl. stake
• Purchase channel (Internet, app, etc.)
• IBAN no.
• Limits

After two years, deactivated accounts are physically deleted by Swisslos without consultation with the account holder; as part of this process, a PDF containing the customer data is created and stored for a period of 10 years.

If a product is purchased at a sales outlet, and a prize is won which must be redeemed from Swisslos owing to its value, the winner's title, last name, first name, address, telephone number (if available), e-mail (if available), date of birth, language and bank details, together with the amount won, are stored for a period of ten years (sports bet wins of CHF 5,000 or more and other wins of CHF 10,000 or more) or three years (all other wins).

Within the context of the legal obligation upon us to ensure due diligence in the combating of money laundering, in the prescribed cases we must also collect the following personal data:

• Nationality (incl. copy of an official identification document)
• Classification as a foreign politically exposed person, or a person who is a close associate of such
• Classification as a domestic politically exposed person, or a person who is a close associate of such
• Declarations by players regarding beneficial owners
• Documents including notes on the results of special investigations
• Documents including notes on the risk classification and on the results of the application of risk characteristics.

The deletion of data collected as part of money laundering prevention activities is carried out in accordance with Art. 23 of the FDJP anti-money laundering ordinance.

Within the context of player protection, the documents regarding your personal, professional and financial situation that are required from you to fulfil the legal obligations are:

• Salary certificates
• Statement of assets and/or tax documentation
• Extract from the debt collection register
• Player information

If a gaming ban is put in place under Art. 80 of the Gambling Act, the blocked players and information about their identity, as well as the type and reason for the gaming ban, is entered in the Swiss ban register, VETO.

The basis for this data processing is Art. 6 para. 1 b) and c) of the GDPR.

2. Identity, credit and KYC check

You are advised that the application and order data provided for the purposes of checking your identity are compared with data that Swisslos obtains from CRIF AG (www.myCRIFdata.ch/#/dsg) and data from the Swiss Post web service (Kompetenzcenter Adressen, Kriens). In Switzerland, CRIF AG is a provider of credit risk management, fraud prevention and address management solutions for every phase of the customer relationship cycle. In the context of player protection, credit checks are also carried out by CRIF AG in certain situations.

In the context of money laundering prevention, your application and order data provided as part of additional clarifications are compared with the KYC and/or due diligence data from LexisNexis GmbH, Düsseldorf. Swisslos does not transmit any personal data to Lexisnexis GmbH.

The basis for this data processing is Art. 6 para. 1 c) of the GDPR.

3. Customer communication in the context of money laundering prevention and early detection in player protection

As part of its legal obligation in the areas of money laundering prevention and early detection in player protection, Swisslos may send you information on measures or request the submission of documentation or contact you (mainly by e-mail, SMS, telephone or post). To this end, your personal data listed in III/1 and 2 will be processed.

The basis for this data processing is Art. 6 para. 1 c) of the GDPR.

4. Data processing for the purpose of marketing communication

From time to time, Swisslos would like to send you information regarding offers and news regarding its products and services (e.g. via e-mail). To this end, your personal data collected during registration and use of the Swisslos game account will be processed for marketing and analysis activities. Specifically, this includes title, first name, last name, e-mail address, date of birth, your contract and subscription details, information about individual games or other services purchased (as well as your clicking behaviour on our websites). However, Swisslos will obtain your express permission in advance.

When you receive information and offerings for marketing purposes, on each occasion you have the opportunity to unsubscribe from receiving any further messages. To this end, each e-mail contains an unsubscribe link which you can click on to prevent further messages. If you have a Swisslos customer account, you can log in at Swisslos.ch and manage your settings for marketing messages at any time under "Newsletter" in your user account. You can arrange the settings for push messages in the apps directly on your smartphone. More information can be found in section 10.

When you receive company mailings (product order option for companies), on each occasion you have the opportunity to unsubscribe from receiving any further messages.

The basis for this data processing is Art. 6 para. 1 a) of the GDPR.

5. Data processing for market research purposes

We occasionally conduct our own market research to continuously improve the quality of our services and offers. We may therefore use your contact details for online surveys if you are registered to receive a newsletter. To this end, we will write to you in person to invite you to participate. We will then evaluate your survey responses in a neutral and pseudonymized form, without any connection being made to your name. The data collected in this way will also not be passed on to third parties and will be deleted once the market evaluations are complete and after a maximum of 360 days.

The basis for this data processing is Art. 6 para. 1 a) of the GDPR.

6. Data processing when using our websites

In principle, you can visit our websites without having to provide any personal details. When you visit our websites, our servers store each retrieval temporarily in a log file. During this process, the following technical data are collected and stored by us for up to six months, after which they are automatically deleted:

• IP address of the requesting computer
• date and time of access
• website from which the site was accessed, with the search word used if possible
• name and URL of the file accessed
• searches conducted
• your computer's operating system (provided by the user agent)
• the browser you use (provided by the user agent)
• device type if the site is accessed on a mobile phone
• transmission protocol used

These data are collected and processed for reasons of system security and stability and for error and performance analysis, as well as for internal statistical purposes, and they enable us to optimize our Internet offering.

Moreover, these data are analysed for clarification and defence in the event of attacks on the network infrastructure or other unauthorized or improper use of the website, and if necessary used for identification purposes and for civil and criminal proceedings against the user concerned.

The basis for this data processing is Art. 6 para. 1 f) of the GDPR.

Finally, when you visit our websites, we use cookies as well as applications and tools which are based on the use of cookies. You will find more information on this in section 8.

7. Data processing where further websites are used (within the framework of partnerships, roadshows and microsites)

Data collected via Swisslos within the framework of partnerships, roadshows or microsites on a website other than Swisslos.ch through active data entry on your part and with your express consent will be stored by Swisslos in accordance with the consent expressly given as part of this campaign and used for marketing purposes. These data will be stored until revoked. At no time will data be passed on to third parties.

You may withdraw and revoke this express consent at any time in accordance with the conditions of section II/3 (Right to object).

The basis for this data processing is Art. 6 para. 1 a) of the GDPR.

8. Cookies

We use cookies on our website to make our offering user-friendly. Cookies are small text files your browser creates automatically and stores on your device (laptop, tablet, smartphone, etc.) when you visit our site. The cookies remain stored until you delete them. This allows us to recognize your browser when you visit again in future. We would like to point out that deactivating cookies in the browser in question may mean that you are no longer able to use all of the functions of our website (see III/3).

If you do not wish to use cookies in general, you can set up your browser so that you receive a notification about cookies being set so you can choose to allow them on an individual basis.

You have the option of changing your personal cookie settings in the browser.

9. Tracking tools

We use Google Analytics, Google reCAPTCHA and web analysis services provided by Frosmo to provide a needs-oriented website design and to continually improve our websites, apps and e-mails.

Pseudonymized user profiles are created and small text files (cookies), which are stored on your computer, are used in connection with our websites. The information produced by these cookies about your use of this website are transferred to the servers of these service providers, and stored and prepared for us there. In addition to the data listed under section 5, we also receive the following information:

• Login
• Registration
• Navigation path that a user takes on the website
• Amount of time spent on the websites
• Website from which Swisslos.ch is left
• Country, region or town/city where the website is accessed
• Device (type, version, colour depth, resolution, width and height of browser window)
• Returning or new visitor
• Transactions carried out (e-commerce)

This information is used to evaluate the use of the websites.

Swisslos uses the remarketing function of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA („Google“) on its website. This function is implemented via a cookie and serves to present interest-based advertisements to visitors to the website as part of Google's advertising network. On these pages, the visitor may be presented with advertisements that relate to content that the visitor has previously viewed on other websites. By its own account, Google does not collect any personal data during this process. If you still do not want the remarketing function, you can deactivate it by changing the relevant settings at http://www.google.com/settings/ads. You can view further information about Google Remarketing and Google's data protection declaration at: http://www.google.com/privacy/ads/.

Below is some additional information about the tracking tools we use:

a. Google Analytics

Our website uses Google Analytics, a web analysis service provided by Google Inc. ("Google"). Google Analytics uses cookies that are stored on your computer to enable analysis of how you use the website. Information generated by the cookie regarding your use of this website is usually forwarded to a Google server in the USA and stored there. If IP anonymization is activated on our website, your IP address is truncated beforehand by Google within member states of the European Union or other parties to the Agreement on the European Economic Area.

You can prevent cookies from being stored by altering the settings of your browser software. We would point out, however, that this may stop you from making full use of all this website’s features.

If you wish to prevent your data from being used by Google Analytics, you can also click on the following link to download and install a browser add-on to deactivate Google Analytics: http://tools.google.com/dlpage/gaoptout?hl=en.

b. Google reCAPTCHA

We use "Google reCAPTCHA" (hereinafter "reCAPTCHA") on our websites. The provider is Google Inc ("Google"). reCAPTCHA is used to check whether data entry on our websites (e.g. when logging in) is carried out by a human or by an automated programme (Turing test). For this purpose, reCAPTCHA analyses the behaviour of website visitors on the basis of various characteristics. This analysis begins automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, time spent by the website visitor on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google.

The reCHAPTCHA analyses run entirely in the background. Website visitors are not made aware that an analysis is taking place.

We use this tool to protect our customer accounts from abusive access attempts.

The basis for this data processing is Art. 6 para. 1 lit. f oft he GDPR.

c. Frosmo

For the visual design of our website and many other technical functions we rely on scripts produced by Frosmo Ltd., Kaivokatu 8B, FI-00100 Helsinki (Frosmo).

Frosmo uses cookie files to ensure technical functionality and to find and rectify errors where necessary. The data transmitted to Frosmo comprise a server logfile, which contains e.g. your IP address, date and time of retrieval, amount of data transferred and the requesting provider (access data) and documents the retrieval. In addition, static values about the amount of time spent on the site, the number of pages retrieved and the actual retrieved pages are transmitted. The products you play are also transmitted to Frosmo for the purpose of ensuring functionality. The data are always transferred in an encrypted, anonymized or pseudonymized form and are not evaluated systematically. Frosmo is contractually prohibited from forwarding data for any other purpose than that agreed upon. The retention period is a maximum of 365 days, after which the data are automatically deleted.

Please note that our Internet Gaming Platform only functions in an extremely limited manner if Frosmo is not activated.

d. Inxmail

When sending e-mails we use e-mail marketing services provided by Inxmail. Our e-mails may therefore contain a web beacon (tracking pixel) or a similar technical tool. A web beacon is a 1x1 pixel-sized, invisible graphic which is linked to the user ID of the e-mail subscriber in question. Web beacons are not cookies and are at no time stored or implemented on the device of the e-mail recipient.

Drawing on these services makes it possible to evaluate whether our e-mails are opened by recipients. It is also possible to record and evaluate their clicking behaviour. We use these data for statistical purposes and to optimize the content of our messages. This enables us to better tailor the information and offers in our e-mails to the individual interests of each recipient. The tracking pixel is deleted when you delete the e-mail.

To prevent the use of the web beacon in our e-mails, change the settings of your e-mail program so that HTML is not shown in messages.

10. Apps

Swisslos offers you the opportunity to play different products using several apps.

Apps that are in place: Swiss Lotto and EuroMillions iOS, EuroMillions Android, clix iOS and sports bets Android and iOS

When using these apps, the following data are processed as follows:

• Depending on the setting in the app, the user name and password are stored as part of the login process. If you click on "Register" in the app, registration is carried out in accordance with III/1 on the Internet Gaming Platform frontend. The app does not store these data.
• Plays purchased and/or the entry confirmation ticket data created for these are transmitted after login and used while the app is running to set out the gaming history. Nothing is saved in the app. Anonymous tracking data (number of users and sessions, session duration, operating systems, device models, region, first-time starts, app executions, app updates and in-app purchases) that are collated as standard by Google Firebase within the framework of Google Analytics are collected. See: https://support.google.com/firebase/answer/6317517?hl=en&ref_topic=6317489
• Crash reports are generated in accordance with https://support.google.com/firebase/answer/6400845, sent to Google Firebase, and visualized accordingly in the Swisslos customer account.

11. Push messages in apps

We use push messages to notify you of processes that may require your particular attention or a reaction from you.

When loading for the first time, the app registers with Google Firebase for the corresponding push messages. The default setting is for push messages to be deactivated. In iOS, the operating system explicitly asks for the customer's approval when the app starts. An individual token which is stored in the Google Firebase system (in the relevant Swisslos account) is generated for Google Firebase. If there is a message to be sent, Google Firebase takes over the delivery attempts to the mobile device. This requires access to the relevant push services of the operating system manufacturer (Apple notification service, Google push services). The individual push messages (e.g. jackpot, news) are sent out by an application (push server) installed at Swisslos. The push server sends this information to Google Firebase. Google Firebase then takes care of transmitting this to all mobile phones which have subscribed to the push message.

12. Newsletter (without customer account)

If you register to receive one of our newsletters, we immediately send an e-mail containing a hyperlink to the e-mail address provided. Click on this link to confirm your registration for the newsletter (double opt-in procedure). If you do not confirm your registration within 30 minutes, the link which was sent becomes invalid. After 24 hours, the e-mail address in our temporary list of prospective subscribers is deleted permanently and registration is cancelled.

By confirming registration for the newsletter, you also consent to the storage of your title, first name, last name and e-mail address, including the date that you applied to register. These data will be stored for as long as you use the newsletter service.

You can unsubscribe from the newsletter service at any time by clicking on the Unsubscribe function at the bottom of every newsletter. You can also request that the newsletter service be deactivated by sending an e-mail to datenschutz@swisslos.ch. After an internal check of your deregistration and an identity check, your registration and the associated personal data for the newsletter service will be deleted.

13. Contact form

You have the option of using a contact form to contact us. To do so, you must provide certain personal data.

We use these and any other data you enter voluntarily (such as title, address, phone number) solely to respond to your enquiry in an optimal and personalized manner. In addition, your data are stored for internal statistical purposes in an anonymized form and in connection with the reason for contact.

We store all e-mails that we receive via the contact form, as well as any correspondence arising from them in cases of player protection or prize payouts, to be able to process the cases or the payouts.

14. Contact with the Swisslos Customer Service Centre

If you phone our Swisslos Customer Service Centre, your conversation is recorded for training purposes and potentially to serve as evidence if required. You will be notified that the call is being recorded at the beginning of your call. The recordings are deleted after six months.

15. Contact with the Swisslos Player Protection unit

Players, their relatives, or third parties have the option of phoning our Player Protection Officer. We record and store data which is provided voluntarily (such as name, place of residence, telephone number, products played, personal situation). However, this is solely to enable us to handle your enquiry in an optimal and personalized manner.

If this results in a player protection case, the data will be processed within the scope of III/1 and 2.

16. Chat

You can participate in interactive forums, such as chat (e.g. Bingo), on Swisslos.ch and other online offerings from Swisslos. Please bear in mind that any information that you divulge in these chats will become public. Suspicious and unlawful statements (e.g. problems with gambling addiction, racism, hate speech, abusive language, etc.) are recorded and stored. In such cases, Swisslos will press criminal charges.

17. Data processing by third parties in Switzerland or abroad

To provide the range of games and for the purposes stated in this privacy policy, Swisslos also has personal data processed by third parties in Switzerland and/or abroad. We have concluded relevant processing contracts with all data processors which oblige them to observe the data protection and data security provisions, and which guarantee us comprehensive checking and monitoring rights as well as rights to information, rectification and deletion.

Swisslos ensures that when data is transferred to countries which do not have adequate data protection, the necessary measures (usually the conclusion of recognized data protection contracts, e.g. based on the EU standard contractual clauses) are taken to protect personal data in accordance with applicable data protection legislation.

Your personal data will be transmitted to the following third parties if necessary:

- Gespa – Swiss Gambling Supervisory Authority

The following data processors:

- Service providers in the areas of marketing, IT, gaming products, payment services and credit agencies

Personal data is only passed on to data processors for purposes that match those purposes for which Swisslos collected personal data, e.g. to fulfil its contractual obligations.

Your personal data will also be transmitted to the following independent controllers if necessary:

- Service providers for sport media and the sports betting industry

This means that Swisslos works with these companies but they do not act as data processors. As independent controllers, these companies decide for themselves how personal data is processed.

IV. Data security

We employ suitable technical and organizational security measures to protect your personal data stored by us from manipulation, partial or total loss, and against unauthorized access by third parties. We are certified in accordance with ISO 27001. Our security measures are continuously improved in line with technological developments.

We also take data security within the company very seriously. Our employees undertake to ensure confidentiality within the framework of their employment contract, and the external service providers contracted by us undertake in writing to adhere to the provisions on data protection.

We take appropriate precautionary measures to protect your data. However, the transmission of information over the Internet and other electronic means always carries certain security risks, and we cannot guarantee the security of information transmitted in this way.

In the event of any breaches of data protection, Swisslos is bound by the requirements regarding notification of the supervisory authorities (Art. 33 GDPR) as well as the obligation to inform the persons affected (Art. 34 GDPR).

V. Amendments to this privacy policy

We may change this privacy policy at any time without prior notice. The current version published on our website applies. If the privacy policy forms part of an agreement with you, we will notify you of any change in the event of an update if this can be done without disproportionate effort.

Valid as of 29 March 2023