Latest update: 19.07.2019
Paf aims to offer customers safe and socially responsible, personalised gaming service for fun and entertainment. In order to provide the gaming service www.paf.com and related products and services (hereinafter referred to as the "Gaming Service"), Paf needs to process your personal data. Paf protects your privacy and undertakes to protect your personal data when you use and visit the Gaming Service.
Paf complies with applicable laws and regulations on data protection, including the Data Protection Regulation, (EU) 2016/769.
Paf (Ålands Penningautomatförening) is the data controller and is responsible for all personal data collected by Paf and for the processing of that personal data. Paf’s wholly owned subsidiary AS Pafer is the data controller for residents of Estonia. Paf has also appointed a data protection officer within the Paf Group.
(Company Reg. No. 0280695-6)
Tel. +358 20 7910 600
Data protection officer
(Company Reg. No. 10017059)
In order to fulfill legal age requirements and for responsible gaming reasons, Paf applies a strict age limit for using the Gaming service. Persons under the age of 18 may not, therefore, submit any personal data to Paf. For residents in Estonia, an age limit of 21 years applies, with the exception of betting for which the age limit is 18 years.
Data collected by Paf
Data you provide to Paf
Paf collects the personal data that you provide to Paf in connection with your registration of a gaming account. In order to participate in online gaming, you must have a registered gaming account on the Gaming Service. When you register a gaming account, you will need to enter information such as your name, personal identity number, email address and country of residence.
Administration of the Gaming Service
Paf also collects personal data that you provide to Paf in connection with administration of the Gaming Service, including for the purpose of administering payments to your bank account, e-wallet or other registered payment method you have with Paf. Paf may also request that you verify your identity.
You may also provide data to Paf when you contact Paf or participate in Paf’s activities or otherwise provide data to Paf.
Data that Paf collects from other sources
In addition to the data you provide to Paf, Paf may collect and/or update personal data through third parties, for example from various authorities and public records.
Data that Paf collects from third parties comprises:
- Identification data such as name, personal identity number and address details from public records to ensure that Paf has accurate data about you.
- Income data from the tax office, partly to comply with Paf’s obligations in accordance with the Act on Preventing Money Laundering and Terrorist Financing (2017/444), and partly to enable Paf to detect and take action in the event of any gambling problems.
- Data from gaming providers who provide Paf with games on the Gaming Service that indicate whether cheating, fraud or other violations have occurred in breach of the Agreement, the gaming rules or applicable laws. Paf also collects data generated by you from playing the games provided by the gaming provider which includes segmented data as well as profiled data.
- Data that Paf must examine by law, for example, if you are a person in a politically exposed position under the Act on Preventing Money Laundering and Terrorist Financing. Paf uses subcontractors to examine such data.
- Paf uses subcontractors that offer solutions for the detection and prevention of fraud, other offences and improper conduct against Paf and/or you as a gaming customer. These business services involve the examination of devices connected to the internet in order to evaluate the risk level of fraud and whether there is a history of fraudulent conduct so that Paf can protect its business from persons who wish to commit crimes against Paf or you as a gaming customer.
Use of the Gaming Service
Paf also collects data generated through your use of the Gaming Service, including transactions to and from your gaming account. This means that Paf stores and processes data on how you use the Gaming Service, for example the games you play, the tools you use, the Club Paf events in which you have participated, transfer of gaming funds between your external payment providers and Paf’s bank accounts, and correspondence between you and Paf.
Objectives of Paf's processing of personal data
Paf’s objectives are described below, that is, the purpose of processing your personal data and the legal basis for such processing.
|Registration of gaming account||Processing is necessary for you to be able to open a gaming account with Paf. All online gaming requires that you as a gaming customer register a gaming account at the Gaming Service.||Performance of contract - Collection and processing of personal data is necessary for Paf to fulfil its obligations under the Agreement between you and Paf and for you and Paf to enter into the Agreement.|
|Administration of the Gaming Service and your data||
Processing is necessary for the administration of the Gaming Service, including the transfer of gaming funds between your account, accounts of external payment providers and Paf’s bank accounts, management of customer funds and administration of your data.
Administration of the Gaming Service is also necessary to maintain the customer relationship between you and Paf.
|Performance of contract - Collection and processing is necessary for Paf to fulfil its obligations under the Agreement between you and Paf.|
|Delivery of a customised and personalised Gaming Service||Processing is necessary for the creation of customised content on the Gaming Service by providing you as a gaming customer, with relevant game recommendations, presentation of specific offers and other similar actions.||Performance of contract - Collection and processing is necessary for Paf to fulfil its obligations under the Agreement between you and Paf.|
|Supply and provision of qualitative customer service||
Paf offers customer service by phone, email and chat. Paf uses the information you provide to investigate, respond to and resolve complaints and issues with the Gaming Service, for example bugs or winner payouts.
Paf also records conversations with customers in order to quality assure Paf’s customer service and for training purposes, so as to improve and develop Paf’s customer service.
Performance of contract - Collection and processing is necessary for Paf to fulfil its obligations under the Agreement between you and Paf.
In the event that a person that is not a customer contacts Paf customer service, processing is based on legitimate interest. Processing is necessary to meet both Paf’s and your interests in the management of your issue.
|Deliver and provide chat services in connection with certain games||
Processing is necessary for the provision to you of chat features, to enable you to contact Paf and other players in connection with certain games.
Processing is also necessary to ensure that the content and your behaviour in the chat feature are appropriate, which means that the content may not be offensive, discriminatory or encourage crime.
|Performance of contract - Processing is necessary for Paf to fulfil its obligations under the Agreement between you and Paf.|
|Prevention of abuse of the Gaming Service and prevention, preclusion and investigation of violations against Paf and/or you||
Processing is necessary for prevention and investigation of any fraud or other offences.
Processing is also necessary for the prevention and investigation of harassment, attempts to unlawfully log in to your gaming account or any other actions prohibited by law or by the Agreement between you and Paf, as well as Paf’s or the gaming provider’s gaming rules.
Furthermore, processing is necessary to provide a safe and secure Gaming Service, improve and develop Paf’s IT environment, and to protect you and your gaming account from attacks and intrusion.
Performance of contract - Processing is necessary for Paf and you, as a gaming customer, to fulfil your obligations under the Agreement between you and Paf.
In cases where processing is not necessary to fulfil the Agreement between you and Paf, processing is based on a legitimate interest in protecting, preventing and precluding abuse of the Gaming Service and preventing and investigating any offence against Paf or you as a gaming customer.
Paf processes your personal data when you as a customer use:
Paf also processes your data that has been generated by your use of the Gaming Service, including the profiling of your gaming behaviour to detect, counteract and prevent problem gambling.
Paf also processes your personal data to verify that you are not registered in a self exclusion registry and to accommodate your request in the event you wish to be suspended from the Gaming Service.
Paf reserves the right to suspend you from the Gaming Service if your gaming pattern strongly indicates that you may have problems with your gambling and may not take control of your gambling yourself or do not take the steps recommended by Paf.
Paf has a Yearly Limit to ensure that customers cannot deposit €30,000 more than they withdraw during one twelve month period. This is an automated system that calculates the net difference between deposits and withdrawals. If deposits exceed withdrawals by €30,000 the customer will not be able to make further deposits until the current twelve month calculation period ends or a withdrawal changes the net difference.
If you choose to use Paf’s gaming insurance, Paf will process your personal data to investigate whether you are entitled to the insurance and to provide the insurance to you.
Paf also processes anonymous data in order to contribute to research in the field of gaming responsibility.
Performance of legal obligations - Processing is necessary to fulfil one or more legal obligations pertaining to Paf.
Consent - In the event that you as a gaming customer choose to use Paf’s gaming insurance or to take Paf’s survey or self-test, Paf needs your consent to provide these services.
In cases where there is no legal obligation or consent, processing is based on a legitimate interest of Paf being a gaming company that takes responsible gaming seriously, preventing and protecting you from unhealthy gaming habits and problem gambling.
|Administration of events and other occasions, promotions, competitions and tournaments including travel and prize givings.||
You have the opportunity to participate in Paf’s promotions, competitions, tournaments and events and other arrangements organised by Paf and/or Club Paf. In order for you to participate in these arrangements, it is necessary to process your personal data to administer your participation.
Processing is also necessary if you participate in any of Club Paf’s trips as well as processing of your friend’s personal data if you choose to bring a friend on the trip. As a participant, you can invite a friend to most trips and other events organised by Club Paf.
Performance of contract - Processing is necessary for Paf to fulfil its obligations under the terms of the competition or the promotion.
Consent - In cases where the performance of an agreement cannot be applied and Paf processes your friend’s personal data to administer the trip or some other event in which your friend is participating, Paf needs your friend’s consent to process the personal data.
|Marketing of the Gaming Service and Club Paf||
Paf processes personal data to promote its products, services and promotions, including Club Paf events.
Paf also processes personal data through profiling in order to suggest customised offers and marketing to you as a gaming customer. You can at any time choose not to receive personal offers generated through profiling by declining personal offers and marketing on your gaming account.
As a gaming customer you can also choose not to receive direct marketing, or only receive direct marketing through certain communication channels through the settings in your gaming account.
Please note that Paf does not target any marketing to persons resident in Finland, with the exception of Åland.
|Legitimate interest - Processing is based on a legitimate interest in marketing Paf and the Gaming Service, including various events organised by, or sponsored by Paf.|
Paf communicates with you through various communication channels, for example, via email, mobile phone, Gaming Service notifications, messages to your inbox at the Gaming Service and other similar ways. Messages from Paf may contain news about Paf, availability and security of the Gaming Service, reminders and marketing announcements from Paf and Paf’s business partners. You can change your communication settings on your gaming account at any time. Please note that you cannot opt out of Paf service announcements, which includes customer information, security and legal notices.
Paf also gives you the opportunity to communicate with others in connection with some games, please see "Deliver and provide chat services in connection with certain games".
Performance of contract - Some communications are necessary for Paf to fulfil its obligations under the Agreement between you and Paf, such as providing information on security and legal matters.
Legitimate interest - Some communications are based on a legitimate interest in being able to send information about Paf and marketing about Paf’s services and products.
|Develop the Gaming Service and conduct surveys as well as perform business analyses and statistical calculations.||
Processing is necessary to develop and improve the Gaming Service and to make the Gaming Service user-friendly for you.
Paf analyses usage patterns of the Gaming Service, among other things, in order to be able to take improvement and development measures.
|Legitimate interest - Processing is based on a legitimate interest in improving and developing the business, including the Gaming Service, and the interest in offering a user-friendly Gaming Service to Paf’s customers.|
|Performance of legal obligations pertaining to Paf.||Processing is necessary to fulfil Paf’s legal obligations under legal requirements, court judgements or official decisions. Paf has a duty to comply with applicable laws, for example laws regarding the provision of games, the prevention of money laundering and financing of terrorism, accounting and applicable license terms.||Performance of legal obligations - Processing is necessary to fulfil one or more legal obligations pertaining to Paf.|
Processing for other purposes
The main rule is that your personal data is only processed for the specific purposes for which your personal data was collected. However, your personal data may be processed for other purposes, provided that these purposes are consistent with the original purposes for which your personal data was originally collected. For example, Paf may process your personal data for other purposes due to legal reasons.
Duration of the data storage
Paf does not store your data for longer than is necessary for the specified purposes. In general, Paf stores your personal data until three years after the customer relationship has ended, to provide you with support if needed and for business continuity in case you return to Paf as a customer, as well as for your right to have any remaining gaming funds in your gaming account paid into your bank account, e-wallet or other payment method that you have registered with Paf. Note that legal requirements or official decisions may extend this timeframe. Thereafter, the data is deleted or anonymised so that it can no longer be linked to you as a person. However, you may request that Paf anonymise your personal information earlier, provided that the customer relationship has ended and that Paf does not need the personal data to fulfil its legal obligations pursuant to law.
Paf may store your personal data for less than three years after the customer relationship has ended. For example, Paf stores your personal data in cases where you have attended Paf events or other arrangements, promotions, competitions or tournaments, including travel and prize-givings, until they have been completed and follow-up of the current event has been completed.
Specifically with regard to recorded customer conversations, Paf store these recorded calls for 90 days.
In the event that you do not wish to receive Paf marketing, Paf will discontinue the processing of your personal data for that specific purpose. Note, however that Paf will process your personal data in order to ensure that you won't receive any marketing. The same also applies to cases in which you withdraw your consent.
Chat services associated with certain games are provided by Paf’s gaming providers and Paf does not have access to the logs that the gaming provider saves. Paf will only be notified if you as a gaming customer have acted improperly and do not comply with the terms set out in the chat service agreement. Therefore, Paf only stores data relating to breaches of the terms of the chat service.
Paf may store some of your personal data for more than three years after the customer relationship has ended, in order to fulfil its legal, regulatory, and/or licence terms. For example, Paf has an obligation to keep some of your personal data for six years from the end of the year when the accounting period has ended in accordance with the Accounting Act (1997/1336) and five years after the customer relationship has ended, pursuant to the Act on Preventing Money Laundering and Terrorist Financing (2017/444). Paf then only processes the parts of your personal data that are required for these specific purposes.
Paf may also process your personal data more than three years after the customer relationship has ended if the personal data is included in an ongoing legal process.
Automated decisions for individual players
In order to fulfill the relevant legal requirements, Paf verifies parts of your personal details and makes automated decisions based on those verifications. That includes decisions regarding your rights to use Paf’s Gaming Service.
Paf also applies automated decisions in regards to responsible gaming, including blocking customers from depositing further funds into their gaming account when they have reached the yearly loss limit. Automated decisions are also applied when limiting or locking customers’ gaming accounts. The aim of these decisions is to prevent, counteract and prohibit problem gambling, identify gambling problems and make customers aware of their gaming behaviour.
Paf may also terminate a customer relationship or lock a gaming account based on a customer’s inactivity and the likelihood that the customer in question is not using the Gaming Service.
Sharing and transfer of personal data
Disclosing of personal data
Paf may disclose your personal data in cases where Paf is required to do so by law, regulation or as a result of a request from an authority (police, tax office or other authorities) to disclose the data. Paf may also disclose your data in cases where Paf suspects that a crime has been committed.
In order to provide parts of the Gaming Service, Paf uses so-called data processors, companies that process personal data on Paf’s behalf in accordance with Paf’s instructions. Paf uses the following personal data processors:
- Game providers to be able to provide a varied range of games.
- IT companies that provide IT solutions for necessary operation, technical support and maintenance of the Gaming Service and Paf’s other activities.
- Companies that provide payment solutions such as card payment companies, banks and other payment service providers.
- Companies that provide services to counteract and detect fraud, other crimes and/or other improper conduct.
- Companies that run marketing such as media and advertising agencies and affiliates.
The sharing of personal data to data processors takes place only for purposes that are consistent with the purposes for which Paf has collected personal data, for example in order to fulfil Paf’s commitment under the Agreement.
Paf controls and ensures that each personal data processor provides sufficient guarantees regarding the security, protection and confidentiality of personal data. Paf has written agreements with alldata processors that regulate the undertakings of the data processors where they, inter alia, undertake to comply with Paf’s written instructions, security requirements and the restrictions and requirements that apply to the transfer of personal data.
Within the Paf Group
Paf shares personal data with other companies with which Paf is in cooperation, but which do not act as a data processor, i.e. the company is an independent data controller. This means that these companies decide independently how personal data will be processed. Paf shares personal data with the following companies which are independently responsible for the personal data:
- Companies that provide payment solutions such as card payment companies, banks and other payment service providers.
- Companies that provide booking services for travel, airlines, hotels and similar companies for example to organise Club Paf trips.
- Companies that supply prizes to those who have won a prize by participating in any of Paf’s activities.
- Certain game suppliers that supply games to the Gaming Service.
- Insurance companies that provide gaming insurance.
- Research institutes. Paf transfers anonymous data to research institutes in order to contribute to research in the field of gaming responsibility.
For further information regarding the companies that independently processes your personal data , you will find more info here or by contacting Paf.
Transfer of personal data
Paf always strives to process your personal data as far as possible within the European Union (EU) and the European Economic Area (EEA). In cases where it is necessary to transfer personal data outside the EU/EEA, for example, for the sharing of personal data with a data processor who, either himself or through a subcontractor, is established or storing personal data in a country outside the EU/EEA, Paf has taken the necessary and reasonable legal, technical and organisational measures to ensure that the level of protection is the same as in the EU/EEA. When transferring personal data to a country outside the EU/EEA, the level of protection is guaranteed either by decision of the EU Commission that the country in question ensures an adequate level of protection, or that the company is affiliated with Privacy Shield or the EU’s standard contractual clauses. Other appropriate safeguards are approved code of conduct in the recipient country and the application of internal binding company regulations. In cases where Paf transfers personal data to USA, amongst others, processing is supported either by EU standard contractual clauses or by the company’s connection to Privacy Shield.
Right of access
You are entitled to access your personal data, that is, a record of what personal data Paf is processing about you, provided that the data does not affect the rights and freedoms of others, or access to personal data is forbidden due to legal requirements, for example the Act on Preventing Money Laundering and Terrorist Financing. Please note that in cases where Paf receives a request for access to data, Paf may request further information from you requesting access to your personal data, to ensure effective handling of the request and disclosure of the data to the correct person.
Right to rectification
You are entitled to have incorrect personal data that concerns you rectified as well as within the stated purpose, to supplement incomplete personal data.
As a gaming customer, you can update your contact details yourself via your gaming account. Other data that may need to be corrected or supplemented is handled by contacting Paf.
Right to be forgotten
You are entitled to request that Paf delete or remove all or some personal data, for example, if the personal data is no longer required for the purposes it was collected or otherwise processed.
Please note that Paf may deny your request for deletion or removal of your personal data in cases where the processing is performed due to legal obligations which apply to Paf, such as the Accounting Act or the Act on Preventing Money Laundering and Terrorist Financing. Paf may also deny your request for deletion and removal of your personal data if Paf has a compelling legitimate interest for the processing, or if it is necessary for Paf to determine, claim or defend legal claims.
Right to restriction of processing
You are entitled to some extent to request that Paf’s processing of your personal data be restricted, for example, if you contest the accuracy of your personal data or that the processing is illegal but you do not want your personal data to be deleted. The processing of your personal data may also be restricted to establishing, enforcing or defending legal claims and in cases where the processing is based on a legitimate interest to the extent necessary to determine whether Paf has a compelling legitimate interest which carries more weight than your legitimate grounds.
Please note that Paf is entitled to store your personal data during the restriction of processing of your personal data and process such personal data in order to determine, enforce or defend legal claims or to protect any other natural or legal person’s rights. Paf may also process such data in cases where you have given your consent, or for reasons relating to an important public interest.
Right to object
You are entitled to object to certain types of processing, such as Paf’s processing of your personal data for direct marketing and processing that is supported by a legitimate interest.
You may object at any time to processing that relates to direct marketing, including profiling (analysis of personal data collected), to the extent that profiling is connected to such direct marketing.
As a gaming customer, you can select which communications channels Paf may use to send marketing to you through the settings in your gaming account. If you do not want any marketing sent to you, Paf will stop sending marketing to you and discontinue such processing of your personal data.
In the event that Paf relies on legitimate interest to support processing, you can object to such processing.
However, please note that Paf may continue the processing if Paf has a compelling reason for processing the personal data. That is to say, Paf’s interests carry more weight than your interests. Otherwise, Paf may only process your personal data in order to determine, exercise or defend legal claims.
Right to data portability
If Paf’s processing of your personal data is based on either your consent or on performance of an agreement between you and Paf, and that your personal data is provided by you and that the processing is automated, you are entitled to request that your data be transferred to another data controller (right to data portability).
Withdrawal of consent
In cases where Paf bases its processing of your personal data on your consent, you can withdraw your consent at any time, at no cost. You can withdraw your consent by contacting Paf customer service.
Note that the withdrawal of consent does not affect the legality of the processing that takes place before the consent is withdrawn.
Right to lodge a complaint
If you consider that Paf’s processing of your personal data does not comply with applicable data protection laws, you may submit a complaint to the Finnish Data Protection Ombudsman. Residents of Estonia can contact the Estonian Data Protection Inspectorate.
Paf uses so-called cookies. Cookies are files that are stored on your device/devices when you visit the Gaming Service.
Paf has taken all necessary and appropriate steps to protect your personal data from unauthorised procedures such as unlawful or unauthorised processing, which includes theft, deletion, alteration, disclosure and transfer of personal data. These measures include the greatest possible restriction of the circle of people that has the right to the personal data and limitation of the ability of the authorised persons to make changes, as well as technical barriers to infringement, including encryption during transmission and storage, firewalls, strict requirements for passwords, and alert functions with reporting upon attempted unauthorised infringement. Pseudonymisation is used to the fullest extent during our processing, to further protect your privacy. Paf is also ISO 27001 certified.