Privacy policy

This privacy policy applies to all aspects of the processing of personal data by Swisslos Inter-kantonale Landeslotterie Genossenschaft (subsequently "Swisslos").

The protection of your privacy is important to us. We respect your personality and privacy and ensure that they are protected and that your personal data are processed in accordance with the law. The legal basis for the protection of personal data for people who are ordinarily resident in the EU area including the Principality of Liechtenstein currently differs from the legal foundations for people who are ordinarily resident in Switzerland. Until the new Swiss data protection legislation comes into force, Swisslos will voluntarily observe the stricter European provisions of the General Data Protection Regulation (GDPR) which came into force on 25 May 2018.

Personal data includes all details and information that relate to identified or identifiable individu-als. In addition to your contact details such as name, phone number, home address or e-mail address, this also includes other details that you provide to us, such as your date of birth.

The aim of this privacy policy is to advise you about which personal data we process for which purpose, who we forward these data to (if necessary), what rights you have as the affected person and how you can revoke your consent to the processing of your personal data if need be.

You must give your explicit agreement to this privacy policy by accepting the clickwrap agree-ment (activating the checkbox) on the Swisslos websites. You may revoke this consent from Swisslos at any time in accordance with the conditions of section II/3.

I. Responsibility for data processing

Swisslos Interkantonale Landeslotterie Genossenschaft (Swisslos) is responsible for processing your data.

If you have any questions or suggestions with regard to data protection, you may contact our Data Protection Officer, Ms Laura Grüter Bachmann, at any time, either by phone on 0848 877 855, or by post at:

Swisslos Interkantonale Landeslotterie

Data Protection Officer

Lange Gasse 20

4002 Basel

or via e-mail at: datenschutz@swisslos.ch.

For natural persons ordinarily resident in the countries of the European Union and for the coun-try-specific supervisory authorities provided for in accordance with the General Data Protection Regulation (GDPR), we hereby appoint as EU data protection representative pursuant to Art. 27 GDPR the following person:

EU data protection representative pursuant to Art. 27 GDPR

e-comtrust international ag

Zweigniederlassung Bremen

EU-Datenschutzvertreter

Achterdiek 28 b

D-28359 Bremen

info@eu-datenschutz-vertreter.ch

http://www.eu-datenschutz-vertreter.ch/kontakt/

II. General information about data processing

1. Legal bases

Currently, the basis for the processing of personal data by Swisslos is the Gaming Contract, which is concluded between Swisslos and a game participant if

  • the player is registered and has confirmed acceptance of the Terms and Rules and Rules of Play in force for the respective product as well as the Terms and Rules for In-ternet Games;
  • the player has consented to the privacy policy;
  • the stake for the respective transaction or play request has been placed;
  • the participation transaction data have been transferred to Swisslos, the product has been bought, participation has been recorded on the Swisslos servers in accordance with the regulatory provisions and
  • a corresponding entry confirmation ticket has been generated on the Internet Gaming Platform (ISP).

Art. 6 para. 1 b) of the GDPR thus comes into effect as the legal basis for the processing of personal data.

Further, Swisslos is authorized and required to collect personal data pursuant to Art. 6 para. 1 c) GDPR and on the basis of the following legal provisions:

  • Art. 51 of the Federal Act on Gambling (GamblA) of 29 September 2017 and Art. 41 of the Implementing Ordinance governing gambling of 7 November 2018
  • Art. 46ff. Implementing Ordinance
  • Art. 64 para. 3 GamblA and Art. 73f. Implementing Ordinance
  • Art. 67f. GamblA and Art. 3ff. of the FDJP ordinance on due diligence requirements to be met by organizers of major gaming events in order to combat money laundering and the financing of terrorism (GwV-EJPD) of 7 November 2018, Art. 9f. GwV-EJPD and Art. 7 Anti-Money Laundering Act (AMLA) of 10 October 1997 in conjunction with Art. 23 GwV-EJPD
  • Art. 78 para. 2 GamblA
  • Art. 82 GamblA and Art. 85 of associated Implementing Ordinance
  • Art. 109 GamblA

Furthermore, the legal basis for the processing of personal data arises from Art. 6 para. 1 a) and f), and especially explicit consent from our customers to process the personal data pertain-ing to them for one or more specific purposes.

2. Scope of processing of personal data

Our processing of our customers' personal data is restricted to those data that are required to provide a well-functioning website as well as our content and services. Our customers' personal data are processed solely for the purposes agreed with them or if another legal basis exists (within the scope of the GDPR or Swiss data protection legislation). This may arise, for exam-ple, from technical necessity, contractual or legal requirements, or prevailing interests, i.e. for legitimate reasons, or if you expressly consent. Only those personal data which are actually required for the execution and management of our duties and services are collected, such as managing the customer relationship, providing our services, managing our games and con-tracts, sales and payment transactions, responding to questions and concerns, information about our products and services as well as their marketing, and support for technical issues.

3. Your rights

Rights of the person affected

You have the right to request information about your personal data which are processed by us. In particular, you may request information about the purposes of processing, the categories of the personal data, the categories of recipients who are or were provided with your data, the planned retention period, the existence of a right to the rectification, deletion or restriction of processing, the origin of your data if this was not collected by us, as well as the existence of an automated decision-making tool, including profiling.

Right to object

If you have expressly consented to the use of your personal data, you also have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data pertaining to you based on Art. 6 para. 1 e) and f) of the GDPR. This also applies to profil-ing based on these provisions.

The responsible party will no longer process the personal data unless they can demonstrate compelling legitimate reasons for the processing which override the interests, rights and free-doms of the affected person, or for the assertion, exercise or defence of legal claims.

If personal data are processed for direct marketing purposes, the affected person shall have the right to object at any time to the processing of personal data pertaining to them for the pur-pose of such marketing; this includes profiling to the extent that it is related to such direct mar-keting.

If you believe that the processing of your personal data by us contradicts the applicable data protection provisions, you may complain to the Data Protection Office.

4. Retention period of your data

Your data are deleted once they are no longer required to fulfil the purpose for which they were collected (e.g. as part of a contractual relationship). Data will be blocked rather than deleted if legal or actual obstacles prevent the data from being deleted (for example, statutory retention obligations in accordance with the Swiss Code of Obligations).

III. Description and scope of data processing

1. Data collection at the point of registration and when purchasing services

For regulatory and contractual reasons, access to the chargeable offerings on the Internet Gaming Platform provided by Swisslos (website, apps) is only possible by registering and thus opening a customer account. To do so, we require the following personal details:

  • Title
  • Last name, first name
  • Date of birth
  • Address
  • Canton
  • E-mail address
  • User name
  • Password
  • Language

We retain these data for as long as you have a customer account and until the statutory reten-tion periods have expired.

When you purchase and/or play with products on the Internet Gaming Platform, in addition to the data required for registration – depending on the product or service – we collect the following data:

  • Telephone number (landline and/or mobile)
  • Gaming transactions (participation, winnings, cancellations)
  • Date and time of access
  • Purchase date and duration of subscriptions incl. stake
  • Purchase channel (Internet, app, etc.)
  • Limits

After two years, deactivated accounts are physically deleted by Swisslos without consultation with the account holder; as part of this process, a PDF containing the customer data is created and stored for a period of 10 years.

If a product is purchased at a sales outlet, and a prize is won which must be redeemed from Swisslos owing to its value, the winner's last name, first name, address, telephone number and bank details, together with the amount won, are stored for a period of 10 years.

Within the context of the legal obligation upon us to ensure due diligence in the combating of money laundering, in the prescribed cases we must also collect the following personal data:

  • Nationality
  • Classification as a foreign politically exposed person, or a person who is a close associ-ate of such
  • Classification as a domestic politically exposed person, or a person who is a close asso-ciate of such

The deletion of this data is carried out in accordance with Art. 23 of the FDJP anti-money laun-dering ordinance.

2. Identity check

You are advised that the application and order data provided are transmitted to CRIF AG in Zurich (www.crif.ch) and Postmail, Kompetenzcenter Adressen, Kriens, for the purposes of checking your identity. In Switzerland, CRIF AG is a provider of credit risk management, fraud prevention and address management solutions for every phase of the customer relationship cycle. Neither CRIF AG nor Postmail are permitted to pass these data on to third parties.

3. Data processing in connection with marketing

If your express consent is provided, we use the following personal data for marketing purposes: first name, last name, gender, e-mail address, date of birth, phone number, your contract and subscription details, information about individual games or other services purchased as well as your clicking behaviour on our websites.

We use these data to display information and offers on www.swisslos.ch and in the Swisslos apps that are as relevant to you as possible. To this end, we only use those data that we can clearly assign to you on the basis of your online registration, if you are active and have given your express consent to a subscription to our newsletter, or have consented to receiving adver-tising offers.

When you receive information and offerings for marketing purposes, on each occasion you have the opportunity to unsubscribe from receiving any further messages. To this end, each e-mail contains an unsubscribe link which you can click on to prevent further messages. If you have a Swisslos customer account, you can log in at Swisslos.ch and manage your settings for marketing messages at any time under "Newsletter & SMS" in your user account. You can ar-range the settings for push messages in the apps directly on your smartphone. More infor-mation can be found in section 10.

4. Data processing for market research purposes

We occasionally conduct our own market research to continuously improve the quality of our services and offers. We may therefore use your contact details for online surveys if you are registered to receive a newsletter. To this end, we will write to you in person to invite you to par-ticipate. We will then evaluate your survey responses in a neutral and pseudonymized form, without any connection being made to your name. The data collected in this way will also not be passed on to third parties and will be deleted once the market evaluations are complete and after a maximum of 360 days.

5. Data processing when using our websites

In principle, you can visit our websites without having to provide any personal details. When you visit our websites, our servers store each retrieval temporarily in a log file. During this process, the following technical data are collected and stored by us for up to six months, after which they are automatically deleted:

  • IP address of the requesting computer
  • date and time of access
  • website from which the site was accessed, with the search word used if possible
  • name and URL of the file accessed
  • searches conducted
  • your computer's operating system (provided by the user agent)
  • the browser you use (provided by the user agent)
  • device type if the site is accessed on a mobile phone
  • transmission protocol used

These data are collected and processed for reasons of system security and stability and for error and performance analysis, as well as for internal statistical purposes, and they enable us to optimize our Internet offering.

Moreover, these data are analysed for clarification and defence in the event of attacks on the network infrastructure or other unauthorized or improper use of the website, and if necessary used for identification purposes and for civil and criminal proceedings against the user con-cerned.

Finally, when you visit our websites, we use cookies as well as applications and tools which are based on the use of cookies. You will find more information on this in section 7.

6. Data processing where further websites are used (within the framework of partnerships, roadshows and microsites)

Data collected via Swisslos within the framework of partnerships, roadshows or microsites on a website other than Swisslos.ch through active data entry on your part and with your express consent will be stored by Swisslos in accordance with the express consent you have issued and used for marketing purposes. These data will be stored until revoked. At no time will data be passed on to third parties.

You may withdraw and revoke this express consent at any time in accordance with the condi-tions of section II/3 (Right to object).

7. Cookies

We use cookies on our website to make our offering user-friendly. Cookies are small text files your browser creates automatically and stores on your device (laptop, tablet, smartphone, etc.) when you visit our site. The cookies remain stored until you delete them. This allows us to rec-ognize your browser when you visit again in future. We would like to point out that deactivating cookies in the browser in question may mean that you are no longer able to use all of the func-tions of our website (see III/3).

If you do not wish to use cookies in general, you can set up your browser so that you receive a notification about cookies being set so you can choose to allow them on an individual basis. You will find all of the information you need to change your settings yourself either below or in the "Help" section of your browser:

  • Internet Explorer: https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies
  • Mozilla Firefox: http://support.mozilla.com/en-US/kb/Cookies
  • Google Chrome: https://support.google.com/chrome/answer/95647?hl=en
  • Safari: https://support.apple.com/kb/PH17191?locale=en_US

8. Tracking tools

We use web analysis services provided by Adform, Google Analytics and Frosmo to provide a needs-oriented website design and to continually improve our websites, apps and e-mails.

Pseudonymized user profiles are created and small text files (cookies), which are stored on your computer, are used in connection with our websites. The information produced by these cookies about your use of this website are transferred to the servers of these service providers, and stored and prepared for us there. In addition to the data listed under section 5, we also re-ceive the following information:

  • Login
  • Registration
  • Navigation path that a user takes on the website
  • Amount of time spent on the websites
  • Website from which Swisslos.ch is left
  • Country, region or town/city where the website is accessed
  • Device (type, version, colour depth, resolution, width and height of browser window)
  • Returning or new visitor
  • Transactions carried out (e-commerce)

This information is used to evaluate the use of the websites.

Below is some additional information about the tracking tools we use:

a. Adform

On our websites we use the web analysis service provided by Adform, which is headquartered in Copenhagen, Denmark. Adform uses cookies to display relevant adverts to the user, im-prove the campaign performance or prevent a user from being shown the same adverts sever-al times. Using a cookie ID, the tools record which adverts are displayed in which browser and can therefore prevent them from being shown several times by activating the Frequency Cap-ping function. According to the third-party providers, the cookies used by the tools do not con-tain any personal information. Owing to the tools used, your browser will automatically create a direct connection to the server of the respective third-party provider. Adform is contractually prohibited from forwarding data for any other purpose than that agreed upon.

We use this tool to display adverts which may interest you and to analyse aggregated data in general.

You can find more information about Adform at https://site.adform.com/datenschutz-opt-out/.

There are several ways in which you can prevent participation in the Adform service:

  • by changing the settings in your browser software accordingly – in particular, disabling third-party cookies will prevent third-party adverts from being shown.
  • by deactivating cookies for conversion tracking by setting your browser to block cook-ies from the domain https://site.adform.com.

By expressly accepting this privacy policy (clickwrap agreement), you consent to the pro-cessing of data collected on you by Adform in the manner described above and for the purpose stated above. You may withdraw and revoke this express consent at any time in accordance with the conditions of section II/3 (Right to object).

b. Google Analytics

Our website uses Google Analytics, a web analysis service provided by Google Inc. ("Google"). Google Analytics uses cookies that are stored on your computer to enable analysis of how you use the website. Information generated by the cookie regarding your use of this website is usu-ally forwarded to a Google server in the USA and stored there. If IP anonymization is activated on our website, your IP address is truncated beforehand by Google within member states of the European Union or other parties to the Agreement on the European Economic Area.

You can prevent cookies from being stored by altering the settings of your browser software. We would point out, however, that this may stop you from making full use of all this website’s features.

If you wish to prevent your data from being used by Google Analytics, you can click on the following link to download and install a browser add-on to deactivate Google Analytics: http://tools.google.com/dlpage/gaoptout?hl=en.

By expressly accepting this privacy policy (clickwrap agreement), you consent to the pro-cessing of data collected on you by Google in the manner described above and for the purpose stated above. You may withdraw and revoke this express consent at any time in accordance with the conditions of section II/3 (Right to object).

c. Frosmo

For the visual design of our website and many other technical functions we rely on scripts produced by Frosmo Ltd., Kaivokatu 8B, FI-00100 Helsinki (Frosmo).

Frosmo uses cookie files to ensure technical functionality and to find and rectify errors where necessary. The data transmitted to Frosmo comprise a server logfile, which contains e.g. your IP address, date and time of retrieval, amount of data transferred and the requesting provider (access data) and documents the retrieval. In addition, static values about the amount of time spent on the site, the number of pages retrieved and the actual retrieved pages are transmitted. The products you play are also transmitted to Frosmo for the purpose of ensuring functionality. The data are always transferred in an encrypted, anonymized or pseudonymized form and are not evaluated systematically. Frosmo is contractually prohibited from forwarding data for any other purpose than that agreed upon. The retention period is a maximum of 365 days, after which the data are automatically deleted.

Please note that our Internet Gaming Platform only functions in an extremely limited manner if Frosmo is not activated.

By expressly accepting this privacy policy (clickwrap agreement), you consent to the pro-cessing of data collected on you by Frosmo in the manner described above and for the purpose stated above. You may withdraw and revoke this express consent at any time in accordance with the conditions of section II/3 (Right to object).

d. Inxmail

When sending e-mails we use e-mail marketing services provided by Inxmail. Our e-mails may therefore contain a web beacon (tracking pixel) or a similar technical tool. A web beacon is a 1x1 pixel-sized, invisible graphic which is linked to the user ID of the e-mail subscriber in question. Web beacons are not cookies and are at no time stored or implemented on the device of the e-mail recipient.

Drawing on these services makes it possible to evaluate whether our e-mails are opened by recipients. It is also possible to record and evaluate their clicking behaviour. We use these data for statistical purposes and to optimize the content of our messages. This enables us to better tailor the information and offers in our e-mails to the individual interests of each recipient. The tracking pixel is deleted when you delete the e-mail.

To prevent the use of the web beacon in our e-mails, change the settings of your e-mail pro-gram so that HTML is not shown in messages.

By expressly accepting this privacy policy (clickwrap agreement), you consent to the pro-cessing of data collected on you by Inxmail in the manner described above and for the purpose stated above. You may withdraw and revoke this express consent at any time in accordance with the conditions of section II/3 (Right to object).

9. Apps

a. "Old" apps: Swiss Lotto and EuroMillions iOS

When using these apps, the following data are processed as follows:

  • Depending on the setting in the app, the user name and password are stored as part of the login process. If you click on "Register" in the app, registration is carried out in accordance with III/1 on the Internet Gaming Platform front-end. The app does not store these data.
  • Plays purchased and/or the entry confirmation ticket data issued for these are trans-mitted after login and used while the app is running to set out the gaming history. Nothing is saved in the app.

b. "New" apps: EuroMillions Android, clix iOS and sports bets Android and iOS

When using these apps, the following data are processed as follows:

  • Depending on the setting in the app, the user name and password are stored as part of the login process. If you click on "Register" in the app, registration is carried out in accordance with III/1 on the Internet Gaming Platform front-end. The app does not store these data.
  • Plays purchased and/or the entry confirmation ticket data created for these are transmitted after login and used while the app is running to set out the gaming history. Nothing is saved in the app. Anonymous tracking data (number of users and ses-sions, session duration, operating systems, device models, region, first-time starts, app executions, app updates and in-app purchases) that are collated as standard by Google Firebase within the framework of Google Analytics are collected. See: https://support.google.com/firebase/answer/6317517?hl=en&ref_topic=6317489
  • Crash reports are generated in accordance with https://support.google.com/firebase/answer/6400845, sent to Google Firebase, and visualized accordingly in the Swisslos customer account.

10. Push messages in apps

a. Procedure with "old" apps: Swiss Lotto and EuroMillions iOS

We use push messages to notify you of processes that may require your particular attention or a reaction from you.

After downloading the app, the mobile device registers itself with the corresponding push ser-vice. The service then sends the registration ID and/or the token to the registered device. Reg-istration IDs and/or tokens are sent from the app to the server and stored there in a database. If a push notification is sent, the server sends the desired message together with the registration ID and/or token to the push service, which forwards the push message to the respective regis-tered devices.

You can choose whether to receive push messages or not during the initial setup stage in the app or at a later stage on your device.

b. Procedure with "new" apps: EuroMillions Android, clix iOS and sports bets Android and iOS

When loading for the first time, the app registers with Google Firebase for the corresponding push messages. The default setting is for push messages to be deactivated. In iOS, the operat-ing system explicitly asks for the customer's approval when the app starts. An individual token which is stored in the Google Firebase system (in the relevant Swisslos account) is generated for Google Firebase. If there is a message to be sent, Google Firebase takes over the delivery attempts to the mobile device. This requires access to the relevant push services of the operat-ing system manufacturer (Apple notification service, Google push services). The individual push messages (e.g. jackpot, news) are sent out by an application (push server) installed at Swisslos. The push server sends this information to Google Firebase. Google Firebase then takes care of transmitting this to all mobile phones which have subscribed to the push message.

11. Newsletter

If you register to receive one of our newsletters, we immediately send an e-mail containing a hyperlink to the e-mail address provided. Click on this link to confirm your registration for the newsletter (double opt-in procedure). If you do not confirm your registration within 30 minutes, the link which was sent becomes invalid. After 24 hours, the e-mail address in our temporary list of prospective subscribers is deleted permanently and registration is cancelled.

By confirming registration for the newsletter, you consent to the storage of your title, first name, last name and e-mail address, including the date that you applied to register. These data will be stored for as long as you use the newsletter service.

You can unsubscribe from the newsletter service at any time by clicking on the Unsubscribe function at the bottom of every newsletter. You can also request that the newsletter service be deactivated by sending an e-mail to datenschutz@swisslos.ch. After an internal check of your deregistration and an identity check, your registration and the associated personal data for the newsletter service will be deleted.

12. Contact form

You have the option of using a contact form to contact us. To do so, you must provide certain personal data.

We use these and any other data you enter voluntarily (such as title, address, phone number) solely to respond to your enquiry in an optimal and personalized manner. In addition, your data are stored for internal statistical purposes in an anonymized form and in connection with the reason for contact.

We store all e-mails that we receive via the contact form, as well as any correspondence aris-ing from them in cases of gambling addiction or prize payouts, to be able to process the cases or the payouts.

13. Contact with the Swisslos Customer Service Centre

If you phone our Swisslos Customer Service Centre, your conversation is recorded for training purposes and potentially to serve as evidence if required. You will be notified that the call is be-ing recorded at the beginning of your call. The recordings are deleted after six months.

14. Contact with the Swisslos Player Protection Officer

Players, their relatives, or third parties have the option of phoning our Player Protection Officer. We record and store data which is provided voluntarily (such as name, place of residence, tele-phone number, products played, personal situation). However, this is solely to enable us to han-dle your enquiry in an optimal and personalized manner.

15. Chat

You can participate in interactive forums, such as chat (e.g. Bingo), on Swisslos.ch and other online offerings from Swisslos. Please bear in mind that any information that you divulge in these chats will become public. Suspicious and unlawful statements (e.g. problems with gam-bling addiction, racism, hate speech, abusive language, etc.) are recorded and stored. In such cases, Swisslos will press criminal charges.

16. Transfer of personal data to third parties

By giving your express consent, you permit us to forward your personal data to our partners for data processing. We use the following data processors for the following purposes:

DatenverarbeiterÜbertragung folgender personenbezogener DatenZweck der ÜbertragungPeriodizität
Scientific Games Inter-national GmbH- Personalstammdaten
- Kommunikationsdaten
- Kundenhistorie
- Vertragsabrechnungs- und Zahlungsdaten
Wartung von automatisierten Verfahren und Datenverarbei-tungsanlagenBei Bedarf
Adesso- Personalstammdaten
- Kommunikationsdaten
- Kundenhistorie
Weiterentwicklung Software und SupportBei Bedarf
emineo- Personalstammdaten
- Kommunikationsdaten
- Kundenhistorie
Weiterentwicklung Software und Support bei der Spiele-plattformBei Bedarf
Element 01- Personalstammdaten
- Kommunikationsdaten
- Vertragsabrechnungs- und Zahlungsdaten
Erstellung und Test von Soft-ware Bei Bedarf
Lenaxis GmbH- Personalstammdaten
- Kommunikationsdaten
PromotionenBei Bedarf
Elca- Personalstammdaten
- Kommunikationsdaten
- Kundenhistorie
VETO-SperrdatenbankDauernd
Bisnode B&D AG- Personalstammdaten
- Kundenhistorie
- Vertragsabrechnungs- und Zahlungsdaten
ZahlungserfahrungsaustauschMonatlich

We have concluded relevant processing contracts with all data processors which oblige them to observe the data protection and data security provisions, and which guarantee us comprehen-sive checking and monitoring rights as well as rights to information, rectification and deletion.

IV. Data security

We employ suitable technical and organizational security measures to protect your personal data stored by us from manipulation, partial or total loss, and against unauthorized access by third parties. We are certified in accordance with ISO 27001. Our security measures are continuously improved in line with technological developments.

We also take data security within the company very seriously. Our employees undertake to ensure confidentiality within the framework of their employment contract, and the external service providers contracted by us undertake in writing to adhere to the provisions on data protection.

We take appropriate precautionary measures to protect your data. However, the transmission of information over the Internet and other electronic means always carries certain security risks, and we cannot guarantee the security of information transmitted in this way.

In the event of any breaches of data protection, Swisslos is bound by the requirements regarding notification of the supervisory authorities (Art. 33 GDPR) as well as the obligation to inform the persons affected (Art. 34 GDPR).

V. Amendments to this privacy policy

We reserve the right to amend or supplement this policy at any time and at our own discretion. If this privacy policy is amended, you will be prompted to accept the new provisions again by clicking "Accept" (checkbox, clickwrap agreement).

Where the English, French or Italian version of this privacy policy deviates from the German version, the German version alone is binding.

Valid as at: January 2019