PRIVACY POLICY
1. IN GENERAL
Paf aims to offer customers a safe and socially responsible, personalised gaming service for fun and entertainment. In order to provide the gaming service www.paf.com and related products and services (hereinafter referred to as the "Gaming Service"), Paf needs to process your personal data. At Paf, we are committed to protect your privacy and we undertake to protect your personal data when you use and visit the Gaming Service.
This Privacy Policy applies when you use the Gaming Service as a gaming customer at Paf in accordance with Paf’s terms of use (hereinafter referred to as the "Agreement") and/or when you visit the Gaming Service. Paf offers you the opportunity to, to a certain extent, control Paf’s collection, use and dissemination of your personal data as described in this Privacy Policy, Cookie policy and through the settings in your gaming account.
It is important that you familiarise yourself with and read through this Privacy Policy and that you have confidence in Paf’s processing of your personal data. Please feel free to contact Paf with any questions.
Paf complies with applicable laws and regulations on data protection, including the Data Protection Regulation, (EU) 2016/769.
1.1 Data Controller
Paf (Ålands Penningautomatförening) is the data controller and is responsible for all personal data collected by Paf and for the processing of that personal data. Paf has also appointed a data protection officer within the PAF Group.
Ålands Penningautomatförening (Company Reg. No. 0280695-6)
Lövdalsvägen 8 PB 241 AX-22101 Mariehamn Åland, Finland
Email: info@paf.com Tel. +358 20 7910 600
Data protection officer Lövdalsvägen 8 PB 241 AX-22101 Mariehamn Åland, Finland
Email: info@paf.com
2. CHANGES
The Gaming Service provided by Paf is constantly evolving, and applicable data protection laws may change, which means that Paf may need to update or change this Privacy Policy from time to time without any special notice. Therefore it is important that you read through this Privacy Policy each time you visit the Gaming Service. The date when the most recent changes have been made is stated at the top of this Privacy Policy.
3. CHILDREN
In order to fulfil legal age requirements and for responsible gaming reasons, Paf applies a strict age limit for using the Gaming service. Persons under the age of 18 may not, therefore, submit any personal data to Paf.
4. DATA COLLECTED BY PAF
4.1 Data you provide to Paf
4.1.1 Registration
Paf collects the personal data that you provide to Paf in connection with your registration of a gaming account. In order to participate in online gaming, you must have a registered gaming account on the Gaming Service. When you register a gaming account, you will need to enter information such as your name, personal identity number, email address and country of residence.
4.1.2 Administration of the Gaming Service
Paf also collects personal data that you provide to Paf in connection with administration of the Gaming Service, including for the purpose of administering payments to your bank account, e-wallet or other registered payment method you have with Paf. Paf may also request that you verify your identity.
You may also provide personal data to Paf when you contact Paf or participate in Paf’s activities or otherwise provide information to Paf.
4.2 Data that Paf collects from other sources
In addition to the data you provide to Paf, Paf may collect and/or update personal data through third parties, for example from various authorities, public records and other public sources.
Data that Paf collects from third parties comprises:
Identification data such as name, personal identity number and address details from public records to ensure that Paf has accurate data about you.
Income data from the tax office, partly to comply with Paf’s obligations in accordance with applicable laws on Preventing Money Laundering and Terrorist Financing, and partly to enable Paf to detect and take action in the event of any gambling problems.
Data from gaming providers who provide Paf with games on the Gaming Service that indicate whether cheating, fraud or other violations have occurred in breach of the Agreement, the gaming rules or applicable laws. Paf also collects data generated by you from playing the games provided by the gaming provider which includes segmented data as well as profiled data.
Data that Paf must examine by law, for example, if you are a person in a politically exposed position under the Act on Preventing Money Laundering and Terrorist Financing. Paf uses subcontractors to examine such data.
Paf uses subcontractors that offer solutions for the detection and prevention of fraud, other offences and improper conduct against Paf and/or you as a gaming customer. These business services involve the examination of devices connected to the internet in order to evaluate the risk level of fraud and whether there is a history of fraudulent conduct so that Paf can protect its business from persons who wish to commit crimes against Paf or you as a gaming customer.
4.2.1 Use of the gaming service
Paf also collects data generated through your use of the Gaming Service, including transactions to and from your gaming account. This means that Paf stores and processes data on how you use the Gaming Service, for example the games you play, the tools you use, the Club Paf events in which you have participated, transfer of gaming funds between your external payment providers and Paf’s bank accounts, and correspondence between you and Paf.
5. OBJECTIVES OF PAF'S PROCESSING OF PERSONAL DATA
Paf’s objectives are described below, that is, the purpose of processing your personal data and the legal basis for such processing.
Objectives: Registration of gaming account
Purpose: Processing is necessary for you to be able to open a gaming account with Paf. All online gaming requires that you as a gaming customer register a gaming account at the Gaming Service.
Legal basis: Performance of legal obligations - Processing is necessary to fulfil one or more of the legal obligations pertaining to Paf.
Performance of contract - Collection and processing of personal data is necessary for Paf to fulfil its obligations under the Agreement between you and Paf and for you and Paf to enter into the Agreement.
Objectives: Administration of the Gaming Service and your personal data
Purpose: Processing is necessary for the administration of the Gaming Service, including the transfer of gaming funds between your account, accounts of external payment providers and Paf’s bank accounts, management of customer funds and administration of your data.
Administration of the Gaming Service is also necessary to maintain the customer relationship between you and Paf.
Legal basis: Performance of contract - Collection and processing is necessary for Paf to fulfil its obligations under the Agreement between you and Paf.
Objectives: Delivery of a customised and personalised Gaming Service
Purpose: Processing is necessary for the creation of customised content on the Gaming Service by providing you as a gaming customer, with relevant game recommendations, presentation of specific offers and other similar actions.
Legal basis: Performance of contract - Collection and processing is necessary for Paf to fulfil its obligations under the Agreement between you and Paf.
Objectives: Supply and provision of fast and qualitative customer service
Purpose: Paf offers customer service by phone, email and chat. Paf uses the information you provide to investigate, respond to and resolve complaints and issues with the Gaming Service, for example bugs or winner payouts.
Paf also records conversations and monitors keystrokes in real time in chat communication with customers in order to quality assure Paf’s customer service, provide faster customer service and for training purposes, so as to improve and develop Paf’s customer service.
Legal basis: Performance of contract - Collection and processing is necessary for Paf to fulfil its obligations under the Agreement between you and Paf.
In the event that a person that is not a customer contacts Paf customer service, processing is based on legitimate interest. Processing is necessary to meet both Paf’s and your interests in the management of your issue.
Objectives: Deliver and provide chat services in connection with certain games
Purpose: Processing is necessary for the provision to you of chat features, to enable you to contact Paf and other players in connection with certain games.
Processing is also necessary to ensure that the content and your behaviour in the chat feature are appropriate, which means that the content may not be offensive, discriminatory or encourage crime.
Legal basis: Performance of contract - Processing is necessary for Paf to fulfil its obligations under the Agreement between you and Paf.
Objectives: Prevention of abuse of the Gaming Service and prevention, preclusion and investigation of violations against Paf and/or you
Purpose: Processing is necessary for prevention and investigation of any fraud or other offences.
Processing is also necessary for the prevention and investigation of harassment, attempts to unlawfully log in to your gaming account or any other actions prohibited by law or by the Agreement between you and Paf, as well as Paf’s or the gaming provider’s gaming rules.
Furthermore, processing is necessary to provide a safe and secure Gaming Service, improve and develop Paf’s IT environment, and to protect you and your gaming account from attacks and intrusion.
Legal basis: Performance of contract - Processing is necessary for Paf and you, as a gaming customer, to fulfil your obligations under the Agreement between you and Paf.
In cases where processing is not necessary to fulfil the Agreement between you and Paf, processing is based on a legitimate interest in protecting, preventing and precluding abuse of the Gaming Service and preventing and investigating any offence against Paf or you as a gaming customer.
Objectives: Responsible gaming
Provide socially responsible Gaming Service
Counter, prevent and preclude problem gambling
Offer customers tools and services that help customers make informed decisions about their gambling
Purpose: Paf processes your personal data when you as a customer use:
Paf’s tools and services to make informed decisions about your gambling, such as deposit limits, freezing of the gaming account or receiving reminders about how long you’ve been playing.
Paf’s questionnaire and/or self-test to get information about your gaming habits.
Paf also processes your data that has been generated by your use of the Gaming Service, including the profiling of your gaming behaviour to detect, counteract and prevent problem gambling.
Paf also processes your personal data to verify that you are not registered in a self exclusion registry and to accommodate your request in the event you wish to be suspended from the Gaming Service.
Paf reserves the right to suspend you from the Gaming Service if your gaming pattern strongly indicates that you may have problems with your gambling and may not take control of your gambling yourself or do not take the steps recommended by Paf.
Paf has implemented a mandatory loss limit which applies to all gaming customers. The processing is based on an automated process which means that once the Gaming Customer has reached the yearly (a calendar year) mandatory loss limit, the Gaming Customer cannot make any further bets until the beginning of the next calendar year or until a win changes the loss. Here is more information about Paf’s loss limits.
If you choose to use Paf’s gaming insurance, Paf will process your personal data to investigate whether you are entitled to the insurance and to provide the insurance to you.
Paf also processes anonymous data in order to contribute to research in the field of gaming responsibility.
Legal basis: Performance of legal obligations - Processing is necessary to fulfil one or more legal obligations pertaining to Paf.
Consent - In the event that you as a gaming customer choose to use Paf’s gaming insurance or to take Paf’s survey or self-test, Paf needs your consent to provide these services.
In cases where there is no legal obligation or consent, processing is based on a compelling legitimate interest of Paf being a gaming company that takes responsible gaming seriously, preventing and protecting you from unhealthy gaming habits and problem gambling.
Objectives: Administration of events and other occasions, promotions, competitions and tournaments including travel and prize givings.
Purpose: You have the opportunity to participate in Paf’s promotions, competitions, tournaments and events and other arrangements organised by Paf and/or Club Paf. In order for you to participate in these arrangements, it is necessary to process your personal data to administer your participation.
Processing is also necessary if you participate in any of Club Paf’s trips as well as processing of your friend’s personal data if you choose to bring a friend on the trip. As a participant, you can invite a friend to most trips and other events organised by Club Paf.
Legal basis: Performance of contract - Processing is necessary for Paf to fulfil its obligations under the terms of the competition or the promotion.
Consent - In cases where the performance of an agreement cannot be applied and Paf processes your friend’s personal data to administer the trip or some other event in which your friend is participating, Paf needs your friend’s consent to process the personal data.
Objectives: Marketing of the Gaming Service and Club Paf
Purpose: Paf processes personal data to promote its products, services and promotions, including Club Paf events.
Paf also processes personal data through profiling in order to suggest customised offers and marketing to you as a gaming customer. You can at any time choose not to receive personal offers generated through profiling by declining personal offers and marketing on your gaming account.
As a gaming customer you can also choose not to receive direct marketing, or only receive direct marketing through certain communication channels through the settings in your gaming account.
Please note that Paf does not target any marketing to persons resident in Finland, with the exception of Åland.
Legal basis: Legitimate interest - Processing is based on a legitimate interest in marketing Paf and the Gaming Service, including various events organised by, or sponsored by Paf.
Objectives: Communications
Purpose: Paf communicates with you through various communication channels, for example, via email, mobile phone, Gaming Service notifications, messages to your inbox at the Gaming Service and other similar ways. Messages from Paf may contain news about Paf, availability and security of the Gaming Service, reminders and marketing announcements from Paf and Paf’s business partners. You can change your communication settings on your gaming account at any time. Please note that you cannot opt out of Paf service announcements, which includes customer information, security and legal notices.
Paf also gives you the opportunity to communicate with others in connection with some games, please see "Deliver and provide chat services in connection with certain games".
Legal basis: Performance of contract - Some communications are necessary for Paf to fulfil its obligations under the Agreement between you and Paf, such as providing information on security and legal matters.
Legitimate interest - Some communications are based on a legitimate interest in being able to send information about Paf and marketing about Paf’s services and products.
Objectives: Develop the Gaming Service and conduct surveys as well as perform business analyses and statistical calculations.
Purpose:
Processing is necessary to develop and improve the Gaming Service and to make the Gaming Service user-friendly for you.
Paf analyses usage patterns of the Gaming Service, among other things, in order to be able to take improvement and development measures.
Legal basis: Legitimate interest - Processing is based on a legitimate interest in improving and developing the business, including the Gaming Service, and the interest in offering a user-friendly Gaming Service to Paf’s customers.
Objectives: Performance of legal obligations pertaining to Paf.
Purpose: Processing is necessary to fulfil Paf’s legal obligations under legal requirements, court judgements or official decisions. Paf has a duty to comply with applicable laws, for example laws regarding the provision of games, the prevention of money laundering and financing of terrorism, accounting and applicable license terms.
Legal basis: Performance of legal obligations - Processing is necessary to fulfil one or more legal obligations pertaining to Paf.
5.1 Processing for other purposes
The main rule is that your personal data is only processed for the specific purposes for which your personal data was collected. However, your personal data may be processed for other purposes, provided that these purposes are consistent with the original purposes for which your personal data was originally collected. For example, Paf may process your personal data for other purposes due to legal reasons.
6. DURATION OF THE DATA STORAGE
Paf does not store your data for longer than is necessary for the specified purposes. In general, Paf stores your personal data until two years after the customer relationship has ended in order to be able to provide support if needed and for business continuity should you decide to return to Paf as a customer. Kindly note that legal requirements or official decisions may extend this timeframe, as further described down below. Thereafter, the personal data is deleted or anonymised so that it can no longer be linked to you as a person. However, you may request that Paf anonymise your personal information earlier, provided that the customer relationship has ended and that Paf is not obligated to keep certain categories of personal for the purposes of fulfilling its obligations pursuant to law or there is an ongoing legal process.
In certain cases, Paf may store your personal data for less than two years after the customer relationship has ended. For example, Paf stores your personal data in cases where you have attended Paf events or other arrangements, promotions, competitions or tournaments, including travel and prize-givings, until they have been completed and follow-up of the current event has been completed.
Specifically with regard to recorded customer conversations, Paf stores these recorded calls for 90 days.
In the event that you do not wish to receive Paf marketing, Paf will discontinue the processing of your personal data for that specific purpose. However, Paf will process your personal data in order to ensure that you won't receive any marketing. The same also applies to cases in which you withdraw your consent.
Chat services associated with certain games are provided by Paf’s gaming providers and Paf does not have access to the logs that the gaming provider saves. Paf will only be notified if you as a gaming customer have acted improperly and do not comply with the terms set out in the chat service agreement. Therefore, Paf only stores data relating to breaches of the terms of the chat service.
Paf may store some of your personal data for more than two years after the customer relationship has ended, in order to fulfil its legal, regulatory, and/or licence terms. For example, Paf has an obligation to keep some of your personal data for six years from the end of the year when the accounting period has ended in accordance with applicable laws on accounting and five years after the customer relationship has ended, pursuant to applicable laws on Preventing Money Laundering and Terrorist Financing. Paf then only processes the parts of your personal data that are required for these specific purposes.
Paf may also process your personal data independently of the customer relationship if the personal data is included in an ongoing legal process.
7. AUTOMATED DECISIONS FOR INDIVIDUAL PLAYERS
In order to fulfil the relevant legal requirements, Paf verifies parts of your personal details and makes automated decisions based on those verifications. That includes decisions regarding your rights to use Paf’s Gaming Service.
Paf also applies automated decisions in regards to responsible gaming, including blocking customers from depositing further funds into their gaming account when they have reached the yearly loss limit. Automated decisions are also applied when limiting or locking customers’ gaming accounts. The aim of these decisions is to prevent, counteract and prohibit problem gambling, identify gambling problems and make customers aware of their gaming behaviour.
Paf may also terminate a customer relationship or lock a gaming account based on a customer’s inactivity and the likelihood that the customer in question is not using the Gaming Service.
8. SHARING AND TRANSFER OF PERSONAL DATA
8.1 Disclosing of personal data
Paf processes your personal data in the strictest confidence and only discloses your personal data to third parties in accordance with this Privacy Policy and to persons authorised to process personal data, who have undertaken to observe confidentiality or are subject to appropriate statutory confidentiality. Otherwise, Paf will only share your personal data with a third party if you have given consent to such notification.
Paf may disclose your personal data in cases where Paf is required to do so by law, regulation or as a result of a request from an authority (police, tax office or other authorities) to disclose the data. Paf may also disclose your data in cases where Paf suspects that a crime has been committed.
8.2 Data processors
In order to provide parts of the Gaming Service, Paf uses so-called data processors, companies that process personal data on Paf’s behalf in accordance with Paf’s instructions. Paf uses the following categories of l data processors:
Game providers to be able to provide a varied range of games.
IT companies that provide IT solutions for necessary operation, technical support and maintenance of the Gaming Service and Paf’s other activities. This includes services such as: IT infrastructure, backup, logging, monitoring, relationship management and profiling, communication, service enhancement including profiling and personalisation, business analytics.
Companies that provide payment solutions such as card payment companies, banks and other payment service providers.
Companies that provide services to counteract and detect fraud, other crimes and/or other improper conduct.
Companies that run marketing such as media and advertising agencies and affiliates.
The sharing of personal data to data processors takes place only for purposes that are consistent with the purposes for which Paf has collected personal data, for example in order to fulfil Paf’s commitment under the Agreement.
Paf controls and ensures that each personal data processor provides sufficient guarantees regarding the security, protection and confidentiality of personal data. Paf has written agreements with all data processors that regulate the undertakings of the data processors where they, inter alia, undertake to comply with Paf’s written instructions, security requirements and the restrictions and requirements that apply to the transfer of personal data.
8.3 Within the Paf group
For the purposes described in this Privacy Policy and the Agreement, your personal data may be transferred and processed within the PAF Group, located within the EU. The sharing of your personal data within the PAF Group is primarily for managing your personal data and for handling various matters related to the Gaming Service.
Sharing may also occur, for example, so as to take measures within responsible gaming or take measures against money laundering and the financing of terrorism, if you play on any gaming service within the PAF group, which are licence holders for that specific gaming service.
8.4 Other companies
Paf shares personal data with other companies with which Paf is in cooperation, but which do not act as a data processor, i.e. the company is an independent data controller. This means that these companies decide independently how personal data will be processed. Paf shares personal data with the following companies which are independently responsible for the personal data:
Companies that provide payment solutions such as card payment companies, banks and other payment service providers.
Companies that provide booking services for travel, airlines, hotels and similar companies for example to organise Club Paf trips.
Companies that supply prizes to those who have won a prize by participating in any of Paf’s activities.
Certain game suppliers that supply games to the Gaming Service.
Insurance companies that provide gaming insurance.
Research institutes. Paf transfers anonymous data to research institutes in order to contribute to research in the field of gaming responsibility.
In cases where your personal data is shared with a company that independently processes your personal data, that company’s privacy policy and personal data handling is applicable.
For further information regarding the companies that independently processes your personal data , you will find more information here or by contacting Paf.
8.5 Transfer of personal data
Paf always strives to process your personal data as far as possible within the European Union (EU) and the European Economic Area (EEA). In cases where it is necessary to transfer personal data outside the EU/EEA, for example, for the sharing of personal data with a data processor who, either himself or through a subcontractor, is established or storing personal data in a country outside the EU/EEA, Paf has taken the necessary and reasonable legal, technical and organisational measures to ensure that the level of protection is the same as in the EU/EEA.
When transferring personal data to a country outside the EU/EEA, the level of protection is guaranteed either by decision of the EU Commission that the country in question ensures an adequate level of protection, or that the company has entered into the EU’s standard contractual clauses. Other appropriate safeguards are approved code of conduct in the recipient country and the application of internal binding company regulations.
In the event Paf transfers personal data to the United States, the transfer is primarily supported by the Data Privacy Framework (an adequacy decision which concludes that the United States ensures an adequate level of protection for personal data transferred from the EU to US companies participating in the EU-U.S. Data Privacy Framework) and/or the EU standard contractual clauses.
9. YOUR RIGHTS
9.1 Right to access
You are entitled to access your personal data, that is, a record of what personal data Paf is processing about you, provided that the data does not affect the rights and freedoms of others, or access to personal data is forbidden due to legal requirements, for example the Act on Preventing Money Laundering and Terrorist Financing. Please note that in cases where Paf receives a request for access to data, Paf may request further information from you requesting access to your personal data, to ensure effective handling of the request and disclosure of the data to the correct person.
9.2 Right to rectification
You are entitled to have incorrect personal data that concerns you rectified as well as within the stated purpose, to supplement incomplete personal data.
As a gaming customer, you can update your contact details yourself via your gaming account. Other data that may need to be corrected or supplemented is handled by contacting Paf.
9.3 Right to be forgotten
You are entitled to request that Paf delete or remove all or some personal data, for example, if the personal data is no longer required for the purposes it was collected or otherwise processed.
Please note that Paf may deny your request for deletion or removal of your personal data in cases where the processing is performed due to legal obligations which apply to Paf, such as the Accounting Act or the Act on Preventing Money Laundering and Terrorist Financing. Paf may also deny your request for deletion and removal of your personal data if Paf has a compelling legitimate interest for the processing, or if it is necessary for Paf to determine, claim or defend legal claims.
9.4 Right to restriction of processing
You are entitled to some extent to request that Paf’s processing of your personal data be restricted, for example, if you contest the accuracy of your personal data or that the processing is illegal but you do not want your personal data to be deleted. The processing of your personal data may also be restricted to establishing, enforcing or defending legal claims and in cases where the processing is based on a legitimate interest to the extent necessary to determine whether Paf has a compelling legitimate interest which carries more weight than your legitimate grounds.
Please note that Paf is entitled to store your personal data during the restriction of processing of your personal data and process such personal data in order to determine, enforce or defend legal claims or to protect any other natural or legal person’s rights. Paf may also process such data in cases where you have given your consent, or for reasons relating to an important public interest.
9.5 Right to object
You are entitled to object to certain types of processing, such as Paf’s processing of your personal data for direct marketing and processing that is supported by a legitimate interest.
9.5.1 Direct marketing
You may object at any time to processing that relates to direct marketing, including profiling (analysis of personal data collected), to the extent that profiling is connected to such direct marketing.
As a gaming customer, you can select which communications channels Paf may use to send marketing to you through the settings in your gaming account. If you do not want any marketing sent to you, Paf will stop sending marketing to you and discontinue such processing of your personal data.
9.5.2 Legitimate interest
In the event that Paf relies on legitimate interest to support processing, you can object to such processing.
However, please note that Paf may continue the processing if Paf has a compelling reason for processing the personal data. That is to say, Paf’s interests carry more weight than your interests. Otherwise, Paf may only process your personal data in order to determine, exercise or defend legal claims.
9.6 Right to data portability
If Paf’s processing of your personal data is based on either your consent or on performance of an agreement between you and Paf, and that your personal data is provided by you and that the processing is automated, you are entitled to request that your data be transferred to another data controller (right to data portability).
9.7 Withdrawal of consent
In cases where Paf bases its processing of your personal data on your consent, you can withdraw your consent at any time, at no cost. You can withdraw your consent by contacting Paf customer service.
Note that the withdrawal of consent does not affect the legality of the processing that takes place before the consent is withdrawn.
9.8 Right to lodge a complaint
If you consider that Paf’s processing of your personal data does not comply with applicable data protection laws, you may submit a complaint to the Finnish Data Protection Ombudsman.
10 .COOKIES
Paf uses so-called cookies. Cookies are small text files that are saved on your device (e.g. your computer, mobile or tablet) when you visit the Gaming Service.
For more information about cookies and Paf’s use of cookies, as well as which categories of cookies are used, please read Paf’s Cookie Policy.
11. SECURITY
Paf has taken all necessary and appropriate steps to protect your personal data from unauthorised procedures such as unlawful or unauthorised processing, which includes theft, deletion, alteration, disclosure and transfer of personal data. These measures include the greatest possible restriction of the circle of people that has the right to the personal data and limitation of the ability of the authorised persons to make changes, as well as technical barriers to infringement, including encryption during transmission and storage, firewalls, strict requirements for passwords, and alert functions with reporting upon attempted unauthorised infringement. Pseudonymisation is used to the fullest extent during our processing, to further protect your privacy. Paf is also ISO 27001 certified.