Anti-Bribery and Anti-Corruption Policy Statement
The National Betting Authority’s ultimate priority and objective is the development of a culture based on integrity and transparency, which shall be fully aligned with our principles and values.
Adopting this Policy, reflects the Authority’s commitment to a more decisive suppression of bribery and corruption, a global phenomenon facing our country, both in the public and private sector. Bribery and corruption hinder good governance practices while at the same time posing strong threats to sustainable development and good faith between trading parties, undermining economic and social progress and development.
You can find the Anti-Bribery and Anti-Corruption Policy Statement here
Information Security Policy Statement
Information security constitutes one of the focal matters of interest and concern for organisations, as data and information are ever-increasing in volume, complexity and criticality, whereas access to this is expanding, rendering it more vulnerable and susceptible.
Due to its role and competences as the licensing and supervising body of the betting sector in the Republic of Cyprus, National Betting Authority, is responsible for the collection, processing and retention of sensitive personal and business information and data. Perceiving the role and the increased risk and plethora of threats it could potentially face as an organisation, the Authority is committed, through this Policy, to implementing and continually improving the Information Security Management System, in accordance with the guidelines and requirements of the international standard ISO/IEC 27001. The Authority’s objective through its certification with the international standard ISO/IEC 27001, is to assure the integrity, availability and confidentiality of the information which pertains to the organisation’s duties and responsibilities.
You can find the Information Security Policy Statement here.
Information Security Policy for External Users
This Information Security Policy document consists of a set of rules enacted by the National Betting Authority’s (the Authority) management to ensure that relevant external parties and networks within the organization meet the minimum requirements related to information security and data protection. Owner of this Policy is the Authority.
The National Betting Authority (henceforth “NBA” or “Authority”) is the regulatory body responsible for the licensing and supervision of sports betting and other gambling services within the Republic of Cyprus. It was set up under the Betting Law of 2012 as an independent administrative authority with financial independence and autonomy.
The NBA collects and processes all the data and information as may be required in order to carry out its regulatory functions and legal responsibilities. When determining the purposes and means of the processing of such personal data, the NBA is acting as the “Data Controller” for the purposes of the General Data Protection Regulation (henceforth GDPR) and the Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018 (Law 125(I)/2018).
1. What is personal data and special category data?
Personal data is defined by the GDPR as any information relating to an identified or identifiable natural person. It may consist of identifiers like your name but also identification numbers, location data, online identifiers and/or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Special category data according to the GDPR includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation.
2. What personal data do we collect?
As a regulatory body, most of the personal data the NBA collects and processes is data relating to its regulatory functions and responsibilities. This means that the majority of data processing is conducted on the basis of what is necessary for the performance of a task carried out in the public interest and/or in exercising the NBA’s statutory functions.In order to carry out its regulatory functions and legal responsibilities as a regulator, the NBA processes certain personal data relating to licensees, employees, players and the general public. The Authority may collect and process personal information in order to provide its services, to carry out its regulatory, licensing and enforcement functions, to meet its legal responsibilities, generate statistics and generally, for regulatory and legal reasons.
Personal data and special category data may be collected and processed on one or more of the legal bases delineated below:
- Legal obligation: the processing is necessary for us to comply with the law,
- Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law,
- Consent: the individual has given clear consent for us to process their personal data for a specific purpose,
- Contract: the processing is necessary for a contract we have with the individual or their organisation, or because they have asked us to take specific steps before entering into a contract.
- Vital interests: the processing is necessary to protect someone’s life.
3.1 Processing of Data related to Licensees
The processing of personal data relating to data subjects of entities licensed by the NBA is generally based on the fact that such processing is necessary for complying with a legal obligation to which the Authority is subject or on the fact that such processing is in exercise of official authority that is vested in the NBA by virtue of Cypriot or European law or is necessary for the performance of a task in the public interest.
3.2 Processing of Data Collected at Application Stage
The Betting Law of 2019 (L.37(I)/2019) assigns to the NBA the power and responsibility to request any data it deems necessary to carry out its functions as prescribed by law. Accordingly, the NBA regularly processes personal data pertaining to licensees and some of their members, including but not limited to their shareholders, ultimate beneficial owners, and employees performing key roles as determined by the Authority. This data is provided at the application stage, but may also be requested by the Authority at any other stage throughout the licensing relationship.
The NBA ensures that the type and extent of any such data processing is necessary for the legally authorised data processing activity, and that it complies with all applicable requirements.
3.3 Data Collected or Created at any Stage During the Duration of the Licence
Throughout the duration of a valid licence, the NBA as the regulatory body responsible for the licensing and supervision of sports betting and other gambling services within the Republic of Cyprus, may deem it necessary to collect further data from the licensees or from third parties or bodies, as it may deem necessary.
The Authority may also be gathering data on the basis of a licensee’s activities.
Moreover, the Authority’s HAL 2000 permits individuals to apply for additional licences, amend profiles and settings, access certain documents, submit documentation and financial records. This information is processed for regulatory purposes in order for the NBA to fulfil its legal and regulatory functions.
3.4 Regulatory and Enforcement Purposes
The Betting Law of 2019 (L.37(I)/2019) empowers the NBA to investigate and assess the compliance of licensees and to take any enforcement action it may deem necessary, in accordance with the law. Personal data provided to the Authority will be used in the course of conducting investigations into the activities of all authorised and interested persons.
The Authority may also publish any regulatory and enforcement action taken, at its discretion and according to the GDPR and the Law 125(I)/2018.
3.5 Processing of Player Data provided through the Complaints form
The Betting Law of 2019 (L.37(I)/2019) empowers the NBA to examine player complaints regarding Class A or B licensed bookmakers or authorised agents or premises licence holders. The NBA processes personal data relating to players and that has been supplied by the players themselves when this is necessary to provide assistance to the player with any general or technical query and when this is necessary to mediate any disputes arising between players and licensees. The Authority ensures that such data is processed exclusively for the purpose for which it has been collected and that it is processed in accordance with the applicable policies and procedures. In every instance the NBA will log the details of the complainant and the details of any other individuals named by the complainant. Most often, the Authority will have to share the complainant’s identity with the licensee in order to be able to resolve the situation. If a complainant would not like to be identified to an operator, it is recommended that they inform us of that wish as soon as possible, and the NBA will try to respect that, however if it is determined that there is an overarching public interest to proceed with the investigation of a complaint and this can only be done by disclosing the complainant’s identity, the NBA may decide to do so.
3.6 Processing of Player Data for the Purposes of any Investigation
In the event of any suspicion of any specified crimes, including but not limited to money laundering, funding of terrorism, and manipulation of sports competitions, licensees may forward specific player data to the NBA, as well as to other supervisory Authorities. The Authority is legally bound to process this data in the course of its investigations into these crimes, and may transfer such data to another body, or Authority where the law requires, or permits it to do so. This may include any relevant public authorities, local or overseas, gaming regulators, sports integrity bodies, sports governing bodies, and law enforcement agencies.
As part of the NBA’s regulatory responsibilities, it will publish consultations on various topics, seeking the views of the industry, shareholders, parliamentarians, researchers and the public. The Authority will process personal data for the purpose of informing the development of its policy, guidance and other regulatory work in the subject area of the consultation. If contact details are provided, we may use these to monitor responses or contact you in relation to the consultation.
We may publish a summary of the consultation responses, but these will not contain any personal data. We may decide to publish your name (and on whose behalf you have responded) to indicate that you have responded to this consultation, we will only ever do this with your consent.
3. Keeping your personal information secure
The NBA has a duty to:
- keep sufficient information to provide services and fulfil its legal responsibilities,
- keep your records secure and accurate,
- only keep information as long as it is required.
The Authority uses technical and organisational measures in accordance with good industry practice to safeguard your information.
4. Retention of Data
Please see our Data Retention Policy.
5. What are your data protection rights?
Every individual who is the subject of personal data processed by the NBA has the following rights:
- Right to Rectification,
- Right to Erasure,
- Right to restrict processing,
- Right to object processing.
It is important to note that the rights of data subjects are tied with certain conditions and limitations that are stipulated within the GDPR itself. The NBA may also refuse to act upon requests that are deemed to be manifestly unfounded or excessive.
The Authority reserves the right to charge a reasonable fee for repetitive requests, requests for further copies of the same data, and, or requests which are deemed to be manifestly unfounded or excessive.
You can submit your request by email only to: [email protected]. The request must include:
- Personal ID
- Email address
To ensure confidentiality, the NBA requires evidence which will confirm your identity. A copy of photo identification, and proof of your address such as a copy of your personal ID card or passport and a recent utility bill will suffice.
Most requests will receive a response within one month of receipt of a valid request; those which are more complex or numerous may take up to three months.
The right to rectification: You are entitled to have relevant records/files amended if the personal data the NBA holds is inaccurate or incomplete.
The right to erasure: In limited circumstances you will have the right to request that erasure of the information the NBA holds about you. As most of the processing is conducted in order for the Authority to comply with a legal obligation and/or perform a public task, this right will not be available in most circumstances.
However, this right may be exercised in the following situations:
- when the data is no longer needed for the purposes it was collected,
- where you have withdrawn consent and there is no other lawful basis on which we can continue to process it,
- you object to processing and there are no overriding legitimate grounds to continue,
- where the data has been unlawfully processed,
- where the data has to be erased for compliance with a legal obligation.
The right to restrict processing: You have the right to seek to restrict processing of your data in the following circumstances:
- the accuracy of the data is contested – for a period necessary to allow us to verify its accuracy
- the processing is unlawful, and you request restriction instead of erasure, or
- we no longer need the data for the purposes it was collected, but you need it in connection with a legal claim.
The right to object processing: Unless the NBA can demonstrate compelling legitimate grounds for continuing the processing of data, you have the right to object to the Authority’s processing.
6. Accessing your personal data
You have the right to confirmation as to:
- whether or not the NBA is processing your personal data;
- the period that the data will be retained;
- with whom the data/information has been shared with.
You may not be entitled to see all the information held about you if an exemption under the GDPR / Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018 (Law 125(I)/2018) applies.
7. Sharing Personal Data
Sharing data is primarily for the purpose of performing our regulatory functions such as assessing individuals’ suitability to be licensed, but it may also be necessary to share information for other reasons, such as the prevention and detection of crime or the collection of tax.
Your data may be shared, under the NBA’s express instructions, with third parties who fulfil a service on the Authority’s behalf. It may also be shared with other competent authorities where it is necessary to do so and where the Authority is legally required or permitted to do so.
In all cases, the data shall be shared in a fair, transparent and in an encrypted manner.
8. What are cookies and how do we use them:
Cookies are text files placed on your computer or mobile device to collect standard internet log information and visitor behaviour information. The website creates Cookies for each session when you visit them.
- to ensure that any selections you make on our Websites are adequately recorded;
- for analysis of the traffic on our Websites, so as to allow us to make suitable improvements;
- in order to recognise your device so you don’t have to give the same information several times during one task;
- recognising that you may already have given a username and password so you don’t need to do it for every web page requested.
9. How to manage cookies
You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.
10. Privacy policies of other websites
11. Changes to this privacy statement
The NBA keeps this privacy statement under regular review and may change it from time to time. If it amends this statement the Authority will post the changes on this page, and place notices on other pages of our website as applicable.
12. Data Protection Officer
The Authority’s Data Protection Officer (DPO) can be reached on [email protected] or +357 22881800
Alternatively, you may direct any correspondence to:
Data Protection Officer
National Betting Authority
Digeni Akrita 83,