Privacy policy

This privacy policy applies to all aspects of the processing of personal data by Swisslos Interkantonale Landeslotterie Genossenschaft (subsequently "Swisslos").

The protection of your privacy is important to us. We respect your personality and privacy and ensure that they are protected and that your personal data are processed in accordance with the law. The legal basis for the protection of personal data for people who are ordinarily resident in the EU area or the Principality of Liechtenstein differs from the legal foundations for people who are ordinarily resident in Switzerland. As the provisions of the European General Data Protection Regulation (GDPR) are stricter than Swiss data protection legislation, the relevant articles of the GDPR are listed. However, the applicability of the different legal bases depends on the relevant personal, factual and geographical area of validity.

Personal data includes all details and information that relate to identified or identifiable individuals. In addition to your contact details such as name, phone number, home address or e-mail address, this also includes other details that you provide to us, such as your date of birth.

The aim of this privacy policy is to advise you about which personal data we process for which purpose, who we forward these data to (if necessary), what rights you have as the affected person and how you can revoke your consent to the processing of your personal data if need be.

Here you can edit your personal cookie settings by clicking on the link.

I. Responsibility for data processing

Swisslos Interkantonale Landeslotterie Genossenschaft (Swisslos) is responsible for processing your data.

If you have any questions or suggestions with regard to data protection, you may contact our Data Protection Officer, Ms Laura Grüter Bachmann, at any time, either by phone on 0848 877 855, or by post at:

Swisslos Interkantonale Landeslotterie

Data Protection Officer

Lange Gasse 20

4002 Basel

or via e-mail at: datenschutz@swisslos.ch.

For natural persons ordinarily resident in the countries of the European Union (incl. the Principality of Liechtenstein) and for the country-specific supervisory authorities provided for in accordance with the General Data Protection Regulation (GDPR), we hereby appoint as EU data protection officer pursuant to Art. 27 GDPR the following person:

EU data protection representative pursuant to Art. 27 GDPR:

e-comtrust international ag

Zweigniederlassung Bremen

EU-Datenschutzvertreter

Achterdiek 28 b

D-28359 Bremen

Tel. 0049 (0)421 849 198 00

info@eu-datenschutz-vertreter.ch

http://www.eu-datenschutz-vertreter.ch/kontakt/

II. General information about data processing

1. Legal bases

Currently, the basis for the processing of personal data by Swisslos is the Gaming Contract, which is concluded between Swisslos and a game participant if

  • the player is registered and has confirmed acceptance of the Terms and Rules and Rules of Play in force for the respective product as well as the Terms and Rules for Internet Games;
  • the stake for the respective transaction or play request has been placed;
  • the participation transaction data have been transferred to Swisslos, the product has been bought, participation has been recorded on the Swisslos servers in accordance with the regulatory provisions and
  • a corresponding entry confirmation ticket has been generated on the Internet Gaming Platform (ISP).

Art. 6 para. 1 b) of the GDPR thus comes into effect as the legal basis for the processing of personal data.

Further, Swisslos is authorized and required to collect personal data and, if necessary, notify the supervisory authorities pursuant to Art. 6 para. 1 c) GDPR and on the basis of the following legal provisions:

  • Art. 51 of the Federal Act on Gambling (GamblA) of 29 September 2017 and Art. 41 of the Implementing Ordinance governing gambling of 7 November 2018
  • Art. 46ff. Implementing Ordinance
  • Art. 64 para. 3 GamblA and Art. 73f. Implementing Ordinance
  • Art. 67f. GamblA and Art. 3ff. of the FDJP ordinance on due diligence requirements to be met by organizers of major gaming events in order to combat money laundering and the financing of terrorism (GwV-EJPD) of 7 November 2018, Art. 9f. GwV-EJPD and Art. 7 Anti-Money Laundering Act (AMLA) of 10 October 1997 in conjunction with Art. 23 GwV-EJPD
  • Art. 78 para. 2 GamblA
  • Art. 82 GamblA and Art. 85 of associated Implementing Ordinance
  • Art. 109 GamblA

Furthermore, the legal basis for the processing of personal data arises from Art. 6 para. 1 a) and f), and especially explicit consent from our customers to process the personal data pertaining to them for one or more specific purposes.

2. Scope of processing of personal data

Our processing of our customers' and suppliers personal data is restricted to those data that are required to provide a well-functioning website and our contents and services as well as for the fulfilment of the contract. Our customers' and suppliers personal data are processed solely for the purposes agreed with them or if another legal basis exists (within the scope of the GDPR or Swiss data protection legislation). This may arise, for example, from technical necessity, contractual or legal requirements, or prevailing interests, i.e. for legitimate reasons, or if you expressly consent. Only those personal data which are actually required for the execution and management of our duties and services are collected, such as managing the customer relationship, managing the supplier relationship, providing our services, managing our games and contracts, complying with legal requirements, sales and payment transactions, responding to questions and concerns, information about our products and services as well as their marketing, and support for technical issues.

3. Your rights

Rights of the person affected (data subject rights)

You have the right to request information about your personal data which is processed by us within the framework of the data protection legislation applicable to you and to the extent given therein (such as in the case of the GDPR). In particular, you may request information about the purposes of processing, the categories of the personal data, the categories of recipients who are or were provided with your data, the planned retention period, the existence of a right to the rectification, deletion or restriction of processing, the origin of your data if this was not collected by us, as well as the existence of an automated decision-making tool, including profiling.

Right to object

If you have expressly consented to the use of your personal data, you also have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data pertaining to you based on Art. 6 para. 1 f) of the GDPR.

The responsible party will no longer process the personal data unless they can demonstrate compelling legitimate reasons for the processing which override the interests, rights and freedoms of the affected person, or for the assertion, exercise or defence of legal claims.

If you believe that the processing of your personal data by us contradicts the applicable data protection provisions, you may complain to the data protection authority. The responsible data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch). In Liechtenstein, this is the Liechtenstein Data Protection Authority (https://www.datenschutzstelle.li).

Exercising these rights requires you to clearly prove your identity (e.g. with a copy of identification if your identity is not clear or cannot be verified). You may contact us at the address provided in Section I. to assert your rights.

Right to object

If and to the extent that you have consented to Swisslos processing your data with a corresponding declaration, you may revoke your consent for the future at any time. For newsletters, etc. you can revoke this consent yourself by clicking on the unsubscribe link or in your game account under "Newsletter".

4. Retention period of your data

Your data are deleted once they are no longer required to fulfil the purpose for which they were collected (e.g. as part of a contractual relationship). Data will be blocked rather than deleted if legal or actual obstacles prevent the data from being deleted (for example, statutory retention obligations in accordance with the Swiss Code of Obligations or special legislation).

III. Description and scope of data processing

1. Data collection at the point of registration and when purchasing services

For regulatory and contractual reasons, access to the chargeable offerings on the Internet Gaming Platform provided by Swisslos (website, apps) is only possible by registering and thus opening a customer account. To do so, we require the following personal details:

  • Title
  • Last name, first name
  • Date of birth
  • Address
  • Canton
  • E-mail address
  • User name
  • Password
  • Language
  • Copy of identification (ID card, residence permit or driving licence)

We retain these data for as long as you have a customer account and until the statutory retention periods have expired.

When you purchase and/or play with products on the Internet Gaming Platform, in addition to the data required for registration – depending on the product or service – we collect the following data:

  • Gaming transactions (participation, winnings, cancellations)
  • Date and time of access
  • Purchase date and duration of subscriptions incl. stake
  • Purchase channel (Internet, app, etc.)
  • IBAN no.
  • Limits

After two years, deactivated accounts are physically deleted by Swisslos without consultation with the account holder; as part of this process, a PDF containing the customer data is created and stored for a period of 10 years.

If a product is purchased at a sales outlet, and a prize is won which must be redeemed from Swisslos owing to its value, the winner's title, last name, first name, address, telephone number (if available), e-mail (if available), date of birth, language and bank details, together with the amount won, are stored for a period of ten years (sports bet wins of CHF 5,000 or more and other wins of CHF 10,000 or more) or three years (all other wins).

Within the context of the legal obligation upon us to ensure due diligence in the combating of money laundering, in the prescribed cases we must also collect the following personal data:

  • Nationality (incl. copy of an official identification document)
  • Classification as a foreign politically exposed person, or a person who is a close associate of such
  • Classification as a domestic politically exposed person, or a person who is a close associate of such
  • Declarations by players regarding beneficial owners
  • Documents including notes on the results of special investigations
  • Documents including notes on the risk classification and on the results of the application of risk characteristics.

The deletion of data collected as part of money laundering prevention activities is carried out in accordance with Art. 23 of the FDJP anti-money laundering ordinance.

Within the context of player protection, the documents regarding your personal, professional and financial situation that are required from you to fulfil the legal obligations are:

  • Salary certificates
  • Statement of assets and/or tax documentation
  • Extract from the debt collection register
  • Player information

If a gaming ban is put in place under Art. 80 of the Gambling Act, the blocked players and information about their identity, as well as the type and reason for the gaming ban, is entered in the Swiss ban register, VETO.

The basis for this data processing is Art. 6 para. 1 b) and c) of the GDPR.

2. Data collection when working with suppliers

As part of a supplier relationship, the following personal data are processed:

  • Company name
  • Title of supplier’s representative
  • First and last names of supplier's representative
  • Supplier’s address
  • Language
  • Title of contact person
  • First and last names of contact person
  • Telephone number of contact person
  • E-mail address of contact person

We retain these data for as long as the contractual relationship with Swisslos is in force and until any statutory retention periods have expired.

3. Identity, credit and KYC (know your customer) check

Players

You are advised that the application and order data provided for the purposes of checking your identity are compared with data that Swisslos obtains from CRIF AG (www.myCRIFdata.ch/#/dsg) and data from the Swiss Post web service (Kompetenzcenter Adressen, Kriens). In Switzerland, CRIF AG is a provider of credit risk management, fraud prevention and address management solutions for every phase of the customer relationship cycle.

In the context of player protection, in certain situations a credit check is also carried out by CRIF AG, Zurich, and/or a current extract from the credit register is obtained via Crif AG, Zurich.

In the context of money laundering prevention, your application and order data provided as part of additional clarifications are compared with the KYC and/or due diligence data from LexisNexis GmbH, Düsseldorf.

The basis for this data processing is Art. 6 para. 1 c) of the GDPR.

4. Customer communication in the context of money laundering prevention and early detection in player protection

As part of its legal obligation in the areas of money laundering prevention and early detection in player protection, Swisslos may send you information on measures or request the submission of documentation or contact you (mainly by e-mail, SMS, telephone or post). To this end, your personal data listed in III/1 and 2 will be processed.

The basis for this data processing is Art. 6 para. 1 c) of the GDPR.

5. Data processing for the purpose of marketing communication

From time to time, Swisslos would like to send you information regarding offers and news regarding its products and services (e.g. via e-mail). To this end, your personal data collected during registration and use of the Swisslos game account will be processed for marketing and analysis activities. Specifically, this includes title, first name, last name, e-mail address, date of birth, your contract and subscription details, information about individual games or other services purchased (as well as your clicking behaviour on our websites). However, Swisslos will obtain your express permission in advance. In addition, web beacons (tracking pixels) are used for e-mailings. Tracking pixels are not cookies. They are deleted when the e-mail message is deleted. To prevent the use of web beacons, set your e-mail programme so that messages are not displayed in HTML use of cookies and third-party scripts.

When you receive information and offerings for marketing purposes, on each occasion you have the opportunity to unsubscribe from receiving any further messages. To this end, each e-mail contains an unsubscribe link which you can click on to prevent further messages. If you have a Swisslos customer account, you can log in at Swisslos.ch and manage your settings for marketing messages at any time under "Newsletter" in your user account. You can arrange the settings for push messages in the apps directly on your smartphone.

Each year, Swisslos sends out a company mailing (product ordering option for companies). This mailing is sent to addresses of companies that have already ordered from Swisslos in the past in connection with this company mailing, as well as to addresses it obtains from Künzler-Bachmann Directmarketing in St. Gallen. If you have any questions or wish to object to this, please contact this company directly by e-mailing datenschutz@kbdirect.ch, calling 071 314 04 04 or going to https://kbdirect.ch/datenschutz/.

When you receive company mailings (product order option for companies), on each occasion you have the opportunity to unsubscribe from receiving any further messages.

The basis for this data processing is Art. 6 para. 1 a) of the GDPR.

6. Data processing for market research purposes

We occasionally conduct our own market research to continuously improve the quality of our services and offers. We may therefore use your contact details for online surveys if you are registered to receive a newsletter. To this end, we will write to you in person to invite you to participate. We will then evaluate your survey responses in a neutral and pseudonymized form, without any connection being made to your name. The data collected in this way will also not be passed on to third parties and will be deleted once the market evaluations are complete and after a maximum of 360 days.

The basis for this data processing is Art. 6 para. 1 a) of the GDPR.

7. Data processing when using our websites

In principle, you can visit our websites without having to provide any personal details. When you visit our websites, our servers store each retrieval temporarily in a log file. During this process, the following technical data are collected and stored by us for up to six months, after which they are automatically deleted:

  • IP address of the requesting computer
  • date and time of access
  • website from which the site was accessed, with the search word used if possible
  • name and URL of the file accessed
  • searches conducted
  • your computer's operating system (provided by the user agent)
  • the browser you use (provided by the user agent)
  • device type if the site is accessed on a mobile phone
  • transmission protocol used

These data are collected and processed for reasons of system security and stability and for error and performance analysis, as well as for internal statistical purposes, and they enable us to optimize our Internet offering.

Moreover, these data are analysed for clarification and defence in the event of attacks on the network infrastructure or other unauthorized or improper use of the website, and if necessary used for identification purposes and for civil and criminal proceedings against the user concerned.

The basis for this data processing is Art. 6 para. 1 f) of the GDPR.

Finally, when you visit our websites, we use cookies as well as applications and tools which are based on the use of cookies. You will find more information on this in section 9.

8. Data processing where further websites are used (within the framework of partnerships, roadshows and microsites)

Data collected via Swisslos within the framework of partnerships, roadshows or microsites on a website other than Swisslos.ch through active data entry on your part and with your express consent will be stored by Swisslos in accordance with the consent expressly given as part of this campaign and used for marketing purposes. These data will be stored until revoked. At no time will data be passed on to third parties.

You may withdraw and revoke this express consent at any time in accordance with the conditions of section II/3 (Right to object).

The basis for this data processing is Art. 6 para. 1 a) of the GDPR.

9. Use of cookies and third-party scripts

To enable various functions on our website and to improve the user experience, we use cookies and scripts from third-party providers.

Data processing includes the following areas:

  • Cookie IDs / IP address: To identify and check the effectiveness of advertising measures.
  • Login and registration: Simplification and guarantee of a secure login process and storage of essential settings for future visits.
  • Navigation path: Recording of visit paths on our website to improve user-friendliness and navigation.
  • Dwell time: Analysing the time spent on the pages visited to assess the attractiveness of the website content.
  • Leaving the website: Determining from which pages our website is left in order to assess the effectiveness of our content.
  • Geographical data: Collecting access location to understand regional trends and provide localized content.
  • Device data: Collecting device data to optimize the website for different device types.
  • Visitor behavior: Distinguishing between returning and new visitors to understand user engagement and to personalize the user experience.
  • Conversion data: Collection of completion data to review the effectiveness of advertising measures.
  • E-commerce transactions: Evaluation of online completions to assess and improve the internet gaming offering.

We use this data and technology for the following purposes:

1. analysis of user behaviour: to better understand how our website is used, which areas are preferred and how navigation can be improved.

2. personalisation: to provide an experience tailored to the interests of our customers and to display relevant content

3. security measures: To ensure the security of our website and to protect against unauthorised access or misuse.

4. advertising: security measures: To ensure the security of our website and to protect against unauthorised access or misuse.

The processing of user data is anonymised.

For a complete overview and control over the use of cookies and third-party scripts, please refer to the consent management tool Usercentrics. Here you can give or revoke your binding consent to various categories of cookies and scripts and customise your data protection settings.

Please note that deactivating certain cookies and scripts may impair the functionality of our website and restrict access to certain features.

I would like to customise my privacy settings.

10. Apps

Swisslos offers you the opportunity to play different products using several apps.

When using the Swisslos apps, the following data are processed as follows:

  • Depending on the setting in the app, the user name and password are stored as part of the login process. If you click on "Register" in the app, registration is carried out in accordance with III/1 on the Internet Gaming Platform frontend. The app does not store these data.
  • Plays purchased and/or the entry confirmation ticket data created for these are transmitted after login and used while the app is running to set out the gaming history. Nothing is saved in the app. Anonymous tracking data (number of users and sessions, session duration, operating systems, device models, region, first-time starts, app executions, app updates and in-app purchases) that are collated as standard by Google Firebase within the framework of Google Analytics are collected. See: https://support.google.com/firebase/answer/6317517?hl=en&ref_topic=6317489
  • Crash reports are generated in accordance with https://support.google.com/firebase/answer/6400845, sent to Google Firebase, and visualized accordingly in the Swisslos customer account.

Location detection in Android apps

In order to offer its Android apps in the Google Play Store, Swisslos must ensure that the app can only be used within Switzerland, in accordance with the Google guidelines.

The location is detected by means of the IP address of the device used (smartphone, tablet, etc.). To do so, the IP address is sent to Swisslos, which then checks to see whether or not the IP address is registered in Switzerland.

If an IP address is identified that is registered outside Switzerland, the device location will be queried using Android’s own location services.

No location data will be forwarded to Swisslos or any third parties. Neither will any location data be stored in your apps, and the location query takes place anonymously. The further information contained in the privacy policy regarding the use of IP addresses shall apply.

More information on location detection in Android apps:

https://www.swisslos.ch/en/landingpages/swisslos/geoblocking_app_infopage.html

11. Push messages in apps

We use push messages to notify you of processes that may require your particular attention or a reaction from you.

When loading for the first time, the app registers with Google Firebase for the corresponding push messages. The default setting is for push messages to be deactivated. In iOS, the operating system explicitly asks for the customer's approval when the app starts. An individual token which is stored in the Google Firebase system (in the relevant Swisslos account) is generated for Google Firebase. If there is a message to be sent, Google Firebase takes over the delivery attempts to the mobile device. This requires access to the relevant push services of the operating system manufacturer (Apple notification service, Google push services). The individual push messages (e.g. jackpot, news) are sent out by an application (push server) installed at Swisslos. The push server sends this information to Google Firebase. Google Firebase then takes care of transmitting this to all mobile phones which have subscribed to the push message.

12. Newsletter (without customer account)

If you register to receive one of our newsletters, we immediately send an e-mail containing a hyperlink to the e-mail address provided. Click on this link to confirm your registration for the newsletter (double opt-in procedure). If you do not confirm your registration within 30 minutes, the link which was sent becomes invalid. After 24 hours, the e-mail address in our temporary list of prospective subscribers is deleted permanently and registration is cancelled.

By confirming registration for the newsletter, you also consent to the storage of your title, first name, last name and e-mail address, including the date that you applied to register. These data will be stored for as long as you use the newsletter service.

You can unsubscribe from the newsletter service at any time by clicking on the Unsubscribe function at the bottom of every newsletter. You can also request that the newsletter service be deactivated by sending an e-mail to datenschutz@swisslos.ch. After an internal check of your deregistration and an identity check, your registration and the associated personal data for the newsletter service will be deleted.

13. Contact form

You have the option of using a contact form to contact us. To do so, you must provide certain personal data.

We use these and any other data you enter voluntarily (such as title, address, phone number) solely to respond to your enquiry in an optimal and personalized manner. In addition, your data are stored for internal statistical purposes in an anonymized form and in connection with the reason for contact.

We store all e-mails that we receive via the contact form, as well as any correspondence arising from them in cases of player protection or prize payouts, to be able to process the cases or the payouts.

14. Contact with the Swisslos Customer Service Centre

If you phone our Swisslos Customer Service Centre, your conversation is recorded for training purposes and potentially to serve as evidence if required. You will be notified that the call is being recorded at the beginning of your call. The recordings are deleted after six months.

15. Contact with the Swisslos Player Protection unit

Players, their relatives, or third parties have the option of phoning our Player Protection Officer. We record and store data which is provided voluntarily (such as name, place of residence, telephone number, products played, personal situation). However, this is solely to enable us to handle your enquiry in an optimal and personalized manner.

If this results in a player protection case, the data will be processed within the scope of III/1 and 2.

16. Chat

You can participate in interactive forums, such as chat (e.g. Bingo), on Swisslos.ch and other online offerings from Swisslos. Please bear in mind that any information that you divulge in these chats will become public. Suspicious and unlawful statements (e.g. problems with gambling addiction, racism, hate speech, abusive language, etc.) are recorded and stored. In such cases, Swisslos will press criminal charges.

17. Data processing by third parties in Switzerland or abroad

To provide the range of games and for the purposes stated in this privacy policy, Swisslos also has personal data processed by third parties in Switzerland and/or abroad. We have concluded relevant processing contracts with all data processors which oblige them to observe the data protection and data security provisions, and which guarantee us comprehensive checking and monitoring rights as well as rights to information, rectification and deletion.

Swisslos ensures that when data is transferred to countries which do not have adequate data protection, the necessary measures (usually the conclusion of recognized data protection contracts, e.g. based on the EU standard contractual clauses) are taken to protect personal data in accordance with applicable data protection legislation.

Your personal data will be transmitted to the following third parties if necessary:

- Gespa – Swiss Gambling Supervisory Authority

The following data processors:

- Service providers in the areas of marketing, IT, gaming products, payment services and credit agencies

Personal data is only passed on to data processors for purposes that match those purposes for which Swisslos collected personal data, e.g. to fulfil its contractual obligations.

Your personal data will also be transmitted to the following independent controllers if necessary:

- Service providers for sport media and the sports betting industry

This means that Swisslos works with these companies but they do not act as data processors. As independent controllers, these companies decide for themselves how personal data is processed.

IV. Data security

We employ suitable technical and organizational security measures to protect your personal data stored by us from manipulation, partial or total loss, and against unauthorized access by third parties. We are certified in accordance with ISO 27001. Our security measures are continuously improved in line with technological developments.

We also take data security within the company very seriously. Our employees undertake to ensure confidentiality within the framework of their employment contract, and the external service providers contracted by us undertake in writing to adhere to the provisions on data protection.

We take appropriate precautionary measures to protect your data. However, the transmission of information over the Internet and other electronic means always carries certain security risks, and we cannot guarantee the security of information transmitted in this way.

In the event of any breaches of data protection, Swisslos is bound by the requirements regarding notification of the supervisory authorities (Art. 33 GDPR) as well as the obligation to inform the persons affected (Art. 34 GDPR).

V. Amendments to this privacy policy

We may change this privacy policy at any time without prior notice. The current version published on our website applies. If the privacy policy forms part of an agreement with you, we will notify you of any change in the event of an update if this can be done without disproportionate effort.

Valid as of 15 January 2024