Genting UK Plc Privacy Statement

Last updated: May 2018 What's new?

Our customers’ privacy is important to us and we want to be clear and open about what we use your personal information for. This privacy notice explains what personal data we collect from you through our interactions with you and your use of our products and services, and also how and why we use that data.

We offer a variety of different services to our customers and this policy covers our interactions with you in relation to all of these services.

There is a significant amount of information in this privacy notice and we recognise that you may not wish to review all of it at any one time. We have therefore highlighted specific sections which we believe that it is most important you are made aware of, including information about your rights, when and how we may share your personal data and how you can control what marketing you receive.

Who is responsible for the collection of your data


Any references in this notice to “Genting”, “we”, “us” or “our” in this privacy notice are references to all of our brands which include “GentingCasino.com”, “Genting Casinos”, “Crockfords”, “Crockfords Cairo”, “Resorts World Birmingham”, “Genting Hotel”, “Santai Spa”, “Vortex”, “Pixel by Vortex” and “Park Lane Mews Hotel”.

The above brands are all trading names of our operating companies, and if you interact with any of these or the below entities, this privacy notice applies:

  • Genting UK Plc, Genting Casinos UK Limited, Coastbright Limited, Genting Solihull Limited and Genting Casinos Egypt Limited all incorporated and registered in the United Kingdom under company numbers 01519749, 01519689, 05176386, 06601106, 02885976 respectively and with the registered office of Genting Club Star City, Watson Road, Birmingham, England, B7 5SA. 
  • Park Lane Mews Hotel London Limited incorporated and registered in the United Kingdom under company number 07672723 with the registered office of 2 Stanhope Row, Mayfair, London, England, W1J 7BS.
  • Genting Alderney Limited incorporated and registered in Alderney under company number 1664 with the registered office of Century House, 12 Victoria Street, Alderney, GY9 3UF.

All of the above companies are also registered with the Information Commissioners Office.

We review this privacy notice regularly. All amendments and the date of these amendments are outlined under the ‘Last Updated’ section at the top of this page.

Top of page

Our Data Protection Officer


We have appointed a Data Protection Officer. If you have any questions about this privacy notice, wish to make a complaint about our use of your data, or if you would like to invoke any of your rights as a data subject, please direct them to:

  • The Data Protection Officer, Genting Club Star City, Watson Road, Birmingham, England, B7 5SA or by email to DPO@GentingUK.com.

We may require some information from you should you choose to invoke any of your rights. The information required is outlined below in the section entitled Your Rights.

Top of page

When we collect personal data


We collect your personal data to enable us to provide you with our services and to give you information about products and services that might be of interest to you.

The majority of the personal data that we collect is provided by you directly when you register to use our services, both online or in our premises, when you visit our premises, and when you interact with us by other means (for examples click on “Learn More” below). We will also collect other data by recording it at the time that you use our services. We outline what this data is and why we collect it later on in this notice.

You have a choice about what personal data we collect about you. When you are asked to provide personal data you may decline. However, if you refuse to provide the data that we require, we may not be able to provide you with all of our services.

We will collect your personal data when you interact with us, which includes when:

  • you visit one of our casinos;
  • you visit any of our websites;
  • you register for membership at our casinos or online;
  • you are registered for our loyalty scheme (at one of our casinos or online);
  • you download any of our Apps;
  • you register for WIFI in our premises;
  • you book a hotel room or stay at Genting Hotel or Park Lane Mews Hotel;
  • you book a spa appointment or visit Santai Spa; 
  • you register a Vortex Gaming card;
    • we collect data from customers aged 13 and over from this source. This data is segregated and is not held in the same place as the personal data of our other customers.
  • you sign up to receive marketing about any of our Casino products or services;
    • we have created a preference centre to enable you to control how and why we contact you.
  • you sign up to receive marketing from Vortex Gaming or Pixel by Vortex;
    • we have created a preference centre to enable you to control how and why we contact you.
  • you sign up to receive marketing from Resorts World Birmingham;
    • we have created a preference centre to enable you to control how and why we contact you.
  • you sign up to receive marketing from Santai Spa;
    • we have created a preference centre to enable you to control how and why we contact you.
  • you sign up to receive marketing from Genting Hotel;
    • we have created a preference centre to enable you to control how and why we contact you.
  • you sign up to receive marketing from Park Lane Mews Hotel;
    • we have created a preference centre to enable you to control how and why we contact you.
  • when you interact with us (e.g. queries, complaints, correspondence);
  • when you participate in social media connected to us;
  • when you participate in promotions, competitions or surveys we conduct.
Top of page

Obtaining data from third parties


To ensure that we comply with our legal and regulatory obligations and enable us to provide you with our services, we may obtain data from third parties. We will protect this data in the same way that we protect the data that you provide to us directly and in line with any other requirements we are placed under either by the source of the data (where there is a contractual obligation to do so) or if we are required to by law.

We will only ever obtain our information from sources that are reputable and we will ensure that the data we are being provided with has been obtained lawfully, for example by the third party having secured your consent to share this data with us.

Third parties from whom we may obtain your personal data include:

  • Genting Group Companies (in this context we mean Genting Berhad and Genting Hong Kong Limited, their subsidiary companies, jointly controlled entities and associated companies)
  • Credit reference agencies
    • To ensure that we comply with our legal and regulatory obligations (which includes for fraud prevention and anti-money laundering purposes) we may obtain information from credit reference agencies. The information we obtain does not include information about your credit standing or score
  • Commercial available databases and publicly available sources
    • In some instances we may need to undertake further due diligence checks to comply with our legal and regulatory obligations (which includes for fraud prevention and anti-money laundering purposes) so that we are able to verify your information or investigate suspicious activity both in relation to you or any third party. We use databases that make certain information commercially available for these purposes. We may also look at publicly available sources such as social media or property ownership records.
    • We may also purchase the services that are offered by other third party data sources that are available commercially.
  • Gamstop and SENSE
    • If you are a UK customer and you have, or decide to, self-exclude from gambling using the Gamstop national self-exclusion database or the Sense national self-exclusion scheme, we will be notified and we will use this information about you to prevent you from accessing our services.
  • Regulatory and law enforcement agencies


 

Top of page

Our use of your personal data


We use your personal data for a number of different reasons, some of which may not be immediately apparent to you, therefore we have explained in detail how we use your personal data in this table

We outline our specific legal basis for processing the personal data we collect from you against our categorised use of such data here.

Top of page

The personal data that we collect


The data that we collect from you will vary depending upon the services that we provide you with and your choices (including your privacy settings). We outline the data that we may collect, our use of that data and our legal basis for processing that data in the table below.

Personal Data Collected Use of Personal Data Processing Condition

Name and other contact information

(including title, date of birth, gender, nationality, address, telephone numbers, email address, customer/user ID and proof of identity information).

  • Fraud prevention and anti-money laundering.
  • Compliance with legal and regulatory obligations.
  • General commercial operations.
  • For product/service development and enhancement.
  • Marketing.
  • Profiling or segmentation.
  • Sharing with, or processing by, third parties.

To view our table of uses of personal data please click here.
 

  • Performance of a contract.
  • Compliance with a legal obligation.
  • Necessary for the purposes of our legitimate business interests.
To view more information about our legal basis for processing your personal data click here.
 
Payment card or bank account information
  • Fraud prevention and anti-money laundering
  • Compliance with legal and regulatory obligations.
  • General commercial operations.
  • Sharing with, or processing by, third parties.
To view our table of uses of personal data please click here.
 
  • Performance of a contract.
  • Compliance with a legal obligation.
  • Necessary for the purposes of our legitimate business interests.
To view more information about our legal basis for processing your personal data click here.
 

Closed circuit television (CCTV), photographs, or audio recordings of you


This information will only be collected when you visit our land based premises.
  • Fraud prevention and anti-money laundering.
  • Compliance with legal and regulatory obligations.
  • General commercial operations.
  • Sharing with, or processing by, third parties.
To view our table of uses of personal data please click here.
 
  • Compliance with a legal obligation.
  • Necessary for the purposes of our legitimate business interests.
To view more information about our legal basis for processing your personal data click here.
 
Offences 
  • Fraud prevention and anti-money laundering.
  • Compliance with legal and regulatory obligations.
  • Sharing with, or processing by, third parties.
To view our table of uses of personal data please click here.
 
  • Compliance with a legal obligation.
  • Necessary for the purposes of our legitimate business interests.
To view more information about our legal basis for processing your personal data click here.
 
Technical / device information (including IP address, cookies, geo-location, browser information and operating system information
  • Fraud prevention and anti-money laundering.
  • Compliance with legal and regulatory obligations.
  • General commercial operations.
  • For product/service development and enhancement.
  • Marketing.
  • Profiling or segmentation.
  • Sharing with, or processing by, third parties.
To view our table of uses of personal data please click here.
In the majority of cases we are not able to identify you from cookies. See our cookie policy for more information.
 
  • Compliance with a legal obligation.
  • Necessary for the purposes of our legitimate business interests.
To view more information about our legal basis for processing your personal data click here.
 
Customer records relating to due diligence, gaming and responsible gaming (including occupation, passport and driving licence copies and proof of signature)
  • Fraud prevention and anti-money laundering.
  • Compliance with legal and regulatory obligations.
  • General commercial operations.
  • For product/service development and enhancement.
  • Marketing.
  • Profiling or segmentation.
  • Sharing with, or processing by, third parties.
To view our table of uses of personal data please click here.
 
  • Compliance with a legal obligation.
  • Necessary for the purposes of our legitimate business interests.
To view more information about our legal basis for processing your personal data click here.
 
General correspondence 
  • Fraud prevention and anti-money laundering.
  • Compliance with legal and regulatory obligations.
  • General commercial operations.
  • For product/service development and enhancement.
  • Marketing.
  • Profiling or segmentation.
  • Sharing with third parties.
To view our table of uses of personal data please click here.
 
  • Performance of a contract.
  • Compliance with a legal obligation.
  • Necessary for the purposes of our legitimate business interests.
To view more information about our legal basis for processing your personal data click here.
 
Medical Notes 
(Spa Customers Only)
  • Compliance with legal and regulatory obligations.
  • General commercial operations.
  • Sharing with, or processing by, third parties.
To view our table of uses of personal data please click here.
 
  • Consent
  • Compliance with a legal obligation
To view more information about our legal basis for processing your personal data click here.
 
Social media account information
  • Fraud prevention and anti-money laundering.
  • Compliance with legal and regulatory obligations.
  • General commercial operations.
  • For product/service development and enhancement.
  • Marketing.
  • Profiling or segmentation.
  • Sharing with, or processing by, third parties.
To view our table of uses of personal data please click here.
 
  • Compliance with a legal obligation.
  • Necessary for the purposes of our legitimate business interests.
To view more information about our legal basis for processing your personal data click here.
 
Information regarding marketing preferences
  • Compliance with legal and regulatory obligations.
  • General commercial operations.
  • Marketing.
  • Profiling or segmentation.
  • Sharing with third parties.
To view our table of uses of personal data please click here.
 
  • Compliance with a legal obligation.
  • Necessary for the purposes of our legitimate business interests.
To view more information about our legal basis for processing your personal data click here.
 
Top of page

Retention, storage and, protection of personal data


Retention

We will retain your personal data for as long as we need it in order to fulfil the purposes that are outlined in this Privacy Notice provided that we have a valid legal reason to do so. As these needs can vary depending upon the purpose of our processing the data, the length of time that we process the data can vary significantly.

In order to determine the length of time we will retain your data we consider the following factors:

  • How long is the data required to enable us to provide you with our services?
    - For example: To maintain adequate business and financial records, to enable us to contact you in line with your preferences, to enable us to comply with lawful requirements.
  • Is the personal data we hold about you Special Category personal data?
    - For example: Data about your race; ethnic origin; politics; religion; trade union membership; genetics; biometrics; health; sex life; or sexual orientation.
  • Are we subject to a legal, regulatory or contractual obligation to retain the data?
    - For example: We are under an obligation under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 to keep a record of all customer due diligence records we have for a period of 5 years following the end of a business relationship. We are also obliged by the Gambling Commission to retain self-exclusion records to enable us to implement self-exclusion periods.

When we no longer need to retain your personal data we will always ensure that it is deleted securely by us and we will also require third parties with whom we have shared your personal data to have deleted it also. 

In instances where we want to retain data for analysis purposes for a longer period than we are able to we will anonymise this data such that it can no longer be linked back to you. Where we do this the information will no longer be your personal data.

Please note that if you opt-out from the receipt of marketing from us, we may need to retain your contact information in order that we can ensure that you no longer receive such marketing.

Storage and protection of personal data

We are committed to taking appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing and also against accidental loss, destruction or damage. We use a variety of technologies to help to protect your personal data.

For example, we ensure that your personal data is stored on computer systems that have limited access and that are in secure controlled facilities, we ensure that appropriate protection is in place whenever we allow access to your personal data by third parties, and we ensure that your personal data is protected through encryption whenever it is transmitted.

  • We adhere to high security standards in order to protect any information you give us and our security programme is aligned with ISO 27001 and PCI-DSS frameworks. 
  • Any data you give us will be retained in a secure environment and access to it will be heavily restricted on a ‘need to know’ basis.
  • The primary storage location of your personal data will be in the United Kingdom. However, as outlined in this Privacy Notice, we may in some instances disclose your personal data to third parties. Where we disclose your personal data to a third party, we require that third party to have appropriate technical and organisational measures in place to protect your personal data. In instances where we are required by law to disclose your personal data to third parties (for example to law enforcement agencies) we have limited control over how it is protected by that third party. 

Customers to whom we provide gambling services 

  • In general we will retain the majority of your personal data for a period of 5 years after the conclusion of your business relationship with us. We consider a business relationship to be at an end if you have not interacted with us at all for a period of 13 months. At this point we will retain your data and we will no longer process it for any other reason other than its deletion unless and until you further engage with us.
  • If you have a gambling account or membership with us, but you have never used our gambling services, we will retain your data for a period of 3 years. If you have not interacted with us (logged in to an account, visited our premises, clicked through a link in a marketing email, logged into our preference centre) for a period of 13 months we will stop any processing of your personal data beyond its retention and deletion unless and until you further engage with us.
  • If you are subscribed to our marketing only and do not have an active account or membership with us, we will delete all personal data that we hold about you at the point that you opt-out to the receipt of any marketing material from us.
  • CCTV footage from our premises is generally retained for a maximum period of 30 days.
  • There will be some exceptions to the period of time we retain your personal data. For example, we may retain your data for a longer period if you have self-excluded from gambling with us or if we need to retain your data because of ongoing litigation. 


Customers to whom we provide non-gambling services

  • ​In general we will retain the majority your personal data for a period of 24 months following your last interaction with us. We will stop processing your data if you have not interacted with us (logged in to an account, visited our premises, clicked through a link in a marketing email, logged into our preference centre) after 13 months. At this point we will retain your data and we will no longer process it for any other reason other than its deletion unless and until you further engage with us.
  • If you are subscribed to our marketing only and have not purchased any non-gambling services from us, we will delete all personal data that we hold about you at the point that you opt-out to the receipt of any marketing material from us.
  • CCTV footage from our premises is generally retained for a maximum period of 30 days.
  • There will be some exceptions to the period of time we retain your personal data. For example, we may retain your data for a longer period if you have been suspended from our premises or if we need to retain your data because of ongoing litigation.
  • If you visit our spa we are required to collect information about your health before you are able to use our services. Any information about your health will be collected only if you give us your consent.
Top of page

Your rights


Under the General Data Protection Regulation and the Data Protection Act 2018 you have a number of rights with regard to your personal data.

Your right to access the data we hold about you

  • You have the right to request from us access to your personal data along with confirmation as to whether your personal data are being processed and the purposes of such processing.
    • To submit a request for access to your personal data, please contact us at DPO@GentingUK.com
      • We will require that you provide us with proof of identity before we comply with such requests
      • We are also likely to ask you some additional questions to assist us in providing the information you are looking for.

Your right to have inaccuracies in your personal data corrected

  • You have the right to obtain from us the rectification of any inaccurate personal data that we hold.
    • Please note that it is possible for you to rectify any inaccurate personal data that we hold fairly quickly and easily by undertaking one of the following actions yourself:
      • Updating your details yourself in the ‘Your Account’ section of GentingCasino.com;
      • Contacting customer services at GentingCasino.com by email, telephone or live chat;
      • Updating your preferences in our Preference Centre;
      • Asking at the reception in any of our operating premises.
  • Alternatively you can contact us at DPO@GentingUK.com and submit a request for the same.

Your right to erasure

  • You have the right to request that we erase your personal data in certain circumstances.
  • These circumstances are where:
    • our retention is no longer necessary in relation to the purposes for which they were collected;
    • if we are processing your data with your consent, you wish to withdraw that consent
    • if we are processing your data in our legitimate business interests and we have not demonstrated overriding legitimate grounds to continue to process your data in the event that you have objected to such processing (see below);
    • if your personal data have been unlawfully processed;
    • if we are required to erase your data in compliance with a legal obligation.
  • It is of note that, other than data collected exclusively through our preference centre (where no membership or commercial relationship exists alongside this) we do not process your data with your consent. Requests for erasure based on the withdrawal of consent alone outside these circumstances are unlikely to be complied with. We will delete your data when you opt-out of marketing if the only data we hold is within the preference centre. 
  • We will not delete your personal data if we still have a valid fraud, anti-money laundering, legal or regulatory obligation to retain it, unless the courts or our regulators require us to do so.
  • If you wish to exercise this right, please contact us at DPO@GentingUK.com. 

Your right to restrict our processing of your personal data

  • You have the right to require that we restrict our processing of your personal data in certain circumstances.
    • These circumstances are where:
      • you have contested the accuracy of your personal data (restriction for a period to enable us to verify the accuracy of the personal data);
      • our processing is unlawful and you oppose the erasure of your personal data;
      • we no longer need the personal data but you require it for the establishment, exercise or defence of a claim;
      • you have objected to our processing of the data, pending the verification whether our legitimate grounds override yours.
    • In instances where we have restricted our processing of your personal data, we will inform you when the restriction of such processing has been lifted.

Your right to data portability

  • If we are processing your data with your consent or because our processing is necessary for the performance of a contract to which you are a party and such processing in carried out by automated means, you have the right to receive your personal data from us in a commonly used and machine readable format and to transmit this data to another data controller.
    • If you wish to exercise this right, please contact us at DPO@GentingUK.com.
    • Please note that the information we will provide in response to a request under this right is limited to:
      • Personal contact details held
      • Gaming history records held or booking records held
      • Payments made or withdrawn.

Your right of objection to certain processing activities

  • If we are processing your data in our legitimate business interests you have the right to object to such processing on grounds relevant to your particular situation at any time.
    • In instances where you object we are obliged to cease our processing of your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
    • As we explain in the section ‘Our use of your personal data ’, the majority of the activities we undertake are central to our business so were you to object it will usually mean that you have to close your account or terminate your membership. Even in these instances we may have to retain certain information for a longer period of time to ensure we comply with our legal and regulatory obligations or for anti-money laundering purposes.
  • You can object to our use of your data for direct marketing purposes by accessing our preference centre or by following the instructions in any marketing communication we send to you. Your personal data will no longer be used for such purposes.

Your right not to be subject to a decision based solely on automated processing 

  • You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
    • In our opinion, we do not currently subject you to a decision based on profiling that produces legal effects concerning you or similarly affects you. We outline all automated profiling that we conduct and why here.

We are obliged to comply with, or respond to, any requests you make to exercise your rights free of charge and within one month of receipt of the request.

  • We will require you to provide us with proof of identity before we comply with your requests and will not consider the request valid until this has been provided.
  • If we do not uphold your request we will explain why. 
  • In certain circumstances we can extend the period within which we are obliged to comply by two further months. We will inform you of any such extension within one month.
  • If your request to exercise your rights is manifestly unfounded or excessive, in particular because of its repetitive character, we may either charge a fee taking into account our administrative costs of providing the information or refuse to act on the request.

Your right to complain to the regulator

  • You have the right to complain to the privacy regulator if you believe that we have infringed your privacy rights or disagree with a decision we have made about your privacy rights.
    • We are based in the UK so our principal regulator is the Information Commissioners Office.
    • If you are based in any other European country in which we operate you can complain to the regulator in your country of residence.
Top of page