Our Privacy Commitment

Sisal Group S.p.A. ("Sisal") is the Parent Company that manages and coordinates its subsidiaries operating both in Italy and abroad, in the gambling sector.
From a privacy perspective, each company part of Group acts as a "Data Controller" in accordance with the European General Data Protection Regulation no. 2016/679 ("GDPR") and the Italian data protection law.

Each company part of Sisal Group is responsible to define the terms and conditions under which the personal data of their customers (or potential customers), dealers, employees and suppliers are collected and processed and to ensure compliance with regulatory requirements as described on this page.

For further information on Sisal Group companies, their corporate structure and regulatory bodies, please visit the follow web page.

• Privacy Governance: Sisal has adopted a structured and integrated organizational model in order to define and disseminate accountability throughout the company on privacy and data protection. Here are some of the main roles defined:
  • Data Protection Officer: person responsible for overseeing Sisal compliance level to the law in force;
  • Privacy Function: an internal department composed by experienced professionals dedicated to the privacy of our users;
  • Data Manager: professionals appointed and trained to ensure the secure and compliant management of individual personal data processing activities;
• Privacy Learning and Training: our employees are periodically updated on Privacy, Compliance and Cyber Security topics and news through specific courses and training initiatives;
• Privacy Policy and Procedures: our employees and external collaborators are required to know and respect internal privacy policies and procedures;
• Data Processing Impact Assessment on your rights and freedom: our personal data processing are regularly subjected to a rigorous analysis to manage risks and impacts on the rights and freedom of our users;
• Security inspections and audits: our internal systems that process data are regularly audited and undergo risk assessment activities;
• Compliance to international security and data protection standards: Sisal has a number of international certifications that demonstrate its compliance with stringent technical and organizational security measures, designed to protect personal data. 

Sisal is committed to facilitate the user exercise of their Privacy rights and requests regarding the processing of their personal data in a simple and clear way.

The user can exercise their rights by sending a request to the email address privacy_sisal@legalmail.it.

Data Access:
Users have the right to know whether Sisal is processing his or her personal data and, if so, to receive a copy thereof.

Here are some examples of data access requests:

• A player registered on www.sisal.it requests a copy of its personal data related to his/her gaming account and related transactions made during the last year;
• A player requests confirmation as to whether or not personal data concerning him or her is being processed;
• A player requests information on which categories of personal data are being processed, the origin of the same (i.e. the subject or the specific source from which they were acquired) and the relative retention period.

Data rectification:
Users have the right to request that his or her personal data be updated or corrected.
If the user believes that Sisal retains incorrect or incomplete information, he/she is invited to submit a request for rectification.

For players who possess a Sisal account, it is possible to correct and update the data directly through their personal area. Players may also emailing us at privacy_sisal@legalmail.it to request the change.

Here are some examples of data rectification requests:

• Due to an error in filling out the registration form on the gambling platform, a player can request the correction of the personal data relating to his/her account;
• Due to the change in certain contact details (e.g. telephone number, e-mail address and/or residence) a player requires that the personal data on his/her account be rectified. 

Data deletion:
Sisal retains user data only for the time necessary to achieve the declared purposes for which they are processed and retain them in compliance with the applicable legal obligations.

Here are some examples of a data deletion request:

• After obtaining a copy of their personal data processed by Sisal, a player requests the deletion of a portion of personal data and a set of transactions related to the data.

Data restriction:
Users have the right to request the restriction of the processing of some of his/her personal data; while, in some circumstances the user may ask us to continue to retain personal data without using it. For example, where Sisal retains data that may be necessary for legal purposes, users may ask us not to delete these data.

Here are some examples of data restriction requests:

• After detecting and reporting the inaccuracy of some information processed by Sisal on his/her account, a user requests the limitation of the data processing concerning him/her for the period necessary to verify the correctness of the same;
• After requesting the closure of his/her gaming account and the deletion of the relevant personal data, the user requests the restriction of processing for data that cannot be immediately deleted (for example, due to specific regulatory obligations relating to the retention of financial data).

Data portability:
Users have the right to receive from Sisal the personal data concerning him/her, as well as to request the transmission of his/her personal data to another Data Controller.

Sisal is committed to send and/or transmit such data in a structured format, commonly used and readable by automatic devices.

Here are some examples of data portability requests:

• A player of the gambling platform requests the direct transmission of all personal data processed or a subset of these to another operator;
• A player requests to receive all personal data processed in a structured, commonly used and machine-readable format.

Right to object:
Users may have a reason to object to the processing of their data, for example when such processing is based on Sisal legitimate interests or on consent.

Before processing user data for our business interests, we ensure that user rights and freedoms are respected; if, however, the user should believe that the processing doesn’t respect his/her rights, he/she can contact us by sending an email to privacy_sisal@legalmail.it.

Here are some examples of objection requests to a data processing:

• A player objects to processing activities, including profiling activities, carried out for the purpose of sending informational material;
• A player objects to the processing of data carried out by Sisal for the performance of market research and surveys.

Right not to be subject to decisions solely based on automated processing:
Users have the right to object and not to be subject to a decision based solely on automated processing.

Here are some examples of objection requests to a decision based on automated processing:

• A player opposes profiling activities, carried out for the purpose of sending informational material;
• A player objects to the processing of data carried out by Sisal for the player risk profile evaluation.

1. Personal and contact data: name, surname, place and date of birth, e-mail address, social security number;
2. Data concerning identification documents: identity card, driving license, passport;
3. Data to access our website: username, game account code;
4. Images: "profile pictures" uploaded directly by our users on the web platforms;
5. Income, payment or transaction data: value and means of payment used during the creation / recharging / collection transactions carried out on gaming accounts, IBAN, payment history and, within the limits required by the legislation on anti-money laundering, annual disposable income, origin of funds and profession;
6. Data concerning preferences, habits, and interests: browsing preferences, game interests. 
7. Navigation data: IP address, type of device and operating system used;
8. Data relating to criminal convictions and offences: within the limits and according to the rules defined by anti-money laundering legislation;
9. Data communicated voluntarily throughout any contact channel such as online chat, contact center;
10. Data relating to problems arising from the game of which Sisal may become aware as part of the supervisory activity on the adoption of responsible gambling behavior.

For more information about the methods and purposes of data collection: see section 7 and 8.

• Opening and managing a gaming account: 
  • at one of our points of sale 
  • via www.sisal.it 
• Claim winnings;
• Exercise of one or more of the Privacy fundamental rights;
• Technical support requests, delivered to the call center or to the Privacy team;
• Submitting a bet;
• Submitting a complaint;
• Newsletters subscription;
• Submitting an application for a job position at Sisal.

• Consultation of external databases or publicly accessible sources (e.g. printed or digital newspapers).

Purposes for which we do not require consent:
Personal data that are collected and processed by Sisal must necessarily be collected to be able to pursue one or more purposes; in fact, the failure to collect them may make it impossible to follow up on a request or service to a user. These purposes include:

1. Execution of contractual obligations or response to user requests: for example, Sisal collects and processes the personal data necessary to ensure:
   • Gambling contract provision;
   • Response to requests received through the call center or privacy team;
   • Creating or managing an account on one of our websites or mobile apps;
   • Obtaining points or bonuses;
   • Collection of winnings;
   • Receiving informational communications on gambling services;
2. Fulfilment of legal obligations: Sisal collects and processes personal data to comply with the applicable law and legislation (e.g. anti-money laundering), in order to:
   • Identify problematic gambling behaviors by players;
   • Supporting people identified as at risk;
   • Identify and verify the identity of players:
     - the opening of the gaming account and in the case of changes in the information associated with it;
     - the recording of gambling sessions and the operations of endorsement and withdrawal from the gaming account;
     - the request for the collection of the winnings obtained. 
3. Legitimate interest: Sisal carries out processing operations, which take place based on its legitimate interest, against which it is always possible to object by means of an appropriate request.   

1. Profiling: Sisal processes personal data, collected on the basis of the granting of free, specific, informed and unequivocal consent, for example in order to allow:
   • The personalization of the website experience also on the basis of the activation of profiling cookies;
   • Process data related to the habits and interests of users during the game or based on the analysis of the opinions and preferences expressed as a result of a market research.

• 10 years: from the expiry of the existing contracts with the interested parties (in the absence of legal proceedings) to comply with legal obligations deriving, for example, from the Anti-Money Laundering legislation;
• 2 years: to supervise the adoption of responsible gambling behavior;
• 2 years: for profiling purposes;
• Until the termination of the requested service for sending information concerning the operation and characteristics of gambling services or the existence of new products and / or services.

Browsing on our website / app:
Sisal offers the possibility to change the privacy consent related to the use of various categories of cookies.

You can view and manage your preference through the "cookie banner" or directly on our cookie page. You can also visit the SDK Policy section of Sisal Apps to learn about which SDK Sisal uses and change your consent to their use.

Sisal Gaming Account:
Sisal offers the possibility to create a personal account on some of its websites, for example www.sisal.it, through which it is possible to access a personal area and change the privacy settings related to, for example, profiling or receiving newsletters.

• Encryption of personal data; 
• Data anonymization techniques; 
• Backup and recovery of systems and data in case of incident or disaster;
• Physical and logical access control to limit data access to authorized parties only.

• Prevention of threats and attacks to minimize the possibility of the occurrence of the risks of unavailability, unauthorized access and loss of data integrity;
• Identification of security requirements within the process of designing and development new services/solutions;
• Monitoring new technologies and new emerging strategies to manage cyber risks;
• Raising staff awareness on topics, behavioral rules and IT security policies adopted by Sisal;
• Identification of events potentially capable of materializing the occurrence of a risk;
• Recording and storing of events which have occurred for their subsequent analysis and related information, including for accountability purposes;
• Reaction to risk events, in order to avoid, contain or minimize their damage.

• Prepares and maintains an inventory of its IT resources in order to ensure the protection, in terms of integrity, availability and confidentiality, of the data stored, processed or transmitted, implementing security levels defined on the basis of their value;
• Verifies that the use of IT resources by employees takes place within the limits of the assigned authorizations, for exclusive work purposes and on the basis of the principles of diligence and fairness, which represent the values to be followed in every act or behavior carried out within the professional relationship;
• Classifies all IT assets by assigning a risk class calculated on the basis of their value resulting from the loss of availability, integrity and confidentiality of personal data. This classification determines the level of security and protection that must be provided for the management of classified company resources.

• Public authorities and/or supervisory bodies (e.g. Customs and Monopolies Agency, judicial authority, public security authority, Financial Investigations Office, etc.);
• Companies that compare the accuracy of the data provided with those available in public registers, databases, lists, deeds or documents in compliance with the obligations imposed by anti-money laundering legislation;
• Companies managing national and international fraud control systems;
• Subjects placing and/or managing Sisal products and services (e.g. Sisal Points of Sale);
• Subjects providing services for the management of the Sisal information system including mailing and chat services;
• Subjects engaged in banking and financial services;
• Subjects carrying out assistance activities (e.g. call centers);
• Subjects providing acquisition, processing, elaboration and storage services;
• Subjects managing the sending of commercial information;
• Subjects engaged in communication assistance and counselling (e.g. companies that carry out customer satisfaction surveys and market research relating to gambling services and products);
• Subjects who perform profiling activities on behalf of Sisal;
• Subjects publishing the shares and commercial offers of Sisal on their websites;
• Subjects managing online gambling platforms;
• Subjects managing participation in loyalty programs;
• Subjects carrying out control, revision and certification of the activities carried out by Sisal;
• Professional firms or consulting firms (e.g. accounting firms, law firms, etc.);
• Other companies part of the Sisal Group located abroad;
• Subjects that for various reasons may succeed in the ownership of legal relationships (e.g. assignees or potential assignees of goods and / or contracts).

Sisal may transfer some personal data to countries where the European Data Protection Regulation does not apply. If necessary, Sisal is committed to ensure that such transfer takes place in accordance with the regulations and instruments made available by the European Union.

You may request a copy of the personal data transferred abroad, as well as the list of third parties and/or international organizations to which personal data has been sent, by sending an email to privacy_sisal@legalmail.it.