• We process your personal data in compliance with the Data Protection Act 2018 (UK GDPR), and the Privacy and Electronic Communications Regulations 2003 ("PECR") and all other applicable legislation.
  
• We process all data lawfully, fairly and in a transparent manner in relation to you and we will only collect data that is strictly necessary for the purposes that we have stated in this Privacy Notice or where legally required to do so, or where you have given express consent for us to do so.
  
• We maintain physical, electronic and organisational safeguards to protect your data.
  
• We permit only authorised personnel, who are trained in the proper handling of your data, to have access to it.
  
• We take all reasonable steps to maintain the accuracy of the data and will act on any instance where we are notified of an error or omission.
  
• We contractually require any person or organisation providing products or services to customers on our behalf to protect the privacy and confidentiality of your data.
  
• We limit the storage period for your data in accordance with legal and regulatory requirements and will delete it when it is no longer relevant, or when our lawful purpose for processing it has expired.
  
• We do not knowingly collect data relating to children or young persons and entry to our venues is strictly prohibited for children or young persons under the age of 18.

Personal data is data that can be used to identify you, directly or indirectly and includes 'pseudonymised' data that is linked to data that can be used to directly or indirectly identify you. Personal data does NOT include data that has been irreversibly anonymised or aggregated so that it can no longer enable us, whether in combination with other data or otherwise, to identify you. We may collect, use, store and transfer different kinds of personal data about you, which falls into the following categories:

• Identity Data includes your first name, last name, user-name or similar identifier, title, date of birth, gender and/or (if applicable) company name.
• Contact Data includes your billing address, delivery address, country of origin, email address and telephone number(s).
• Transaction Data includes details about payments to and from you and other details of use of our services or digital content.
• Technical Data includes your internet protocol (IP) address, your log-in data, browser type and version, time-zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices that you use to access Metropolitan Gaming websites.
• Profile Data includes your username and (for registered users) password, your transactional history with us and your interests, preferences, feedback and survey responses.
• Usage Data includes data about how you use our services and Metropolitan Gaming websites.
• Marketing and Communications Data includes your preferences in receiving marketing from us and (if relevant) third parties and your communication preferences.
• Biometric identification data is a copy of your photograph that we use for membership and identification purposes, which may include facial recognition technology, and to comply with applicable legislation and Gambling Commission regulations.
  

Other than a copy of your photograph, we do not collect any other Special Categories of personal data about you. Special Category data is defined as personal information about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, data about your health, or genetic data.

We will only collect and use data which is necessary to comply with our legal obligations and assist us to administer our business and to provide you with the services you request. We may collect personal data about you (or your business) from other companies within Metropolitan Gaming and from certain third-party sources where we have a legitimate interest to do so.

CCTV, Body Worn Video ("BWV") and Dash Cam Video

We use surveillance systems to monitor all gaming areas and other public or sensitive areas of Metropolitan Gaming properties and vehicles. Video and audio surveillance cameras are used for security purposes and to protect us, our customers and employees against potential violations of criminal or civil laws.

Video and audio surveillance cameras may also be used at Metropolitan Gaming Properties to enhance your customer experience and to provide services to you. Surveillance camera output is monitored by our employees and may be viewed by law-enforcement and regulatory authorities.

We may employ facial recognition technology when you enter our casinos to ensure that we are complying with our regulatory obligations to ensure safer gambling, enforce self­ exclusions and barring and to help us keep crime out of casinos. Such photographic records are not retained.

Data that you provide when you use our services and products, including, but not limited to:

• When you complete our membership or application forms, or when you sign up to our Met Card loyalty program. (The types of data we collect can include: your date of birth, first name, last name, address, phone number, email address, gender, occupation, and other data as shown on the form, as well as your passport, driver's licence or some other official documents with or without a photograph.);
• Anti-Money Laundering (AML) / Know Your Customer (KYC) Data, such as source of funds, wealth and proof of occupation;
• In verbal or written communications between us and you;
• In other third-party documents sent on your behalf, such as insurance or legal documents;
• When you use our websites, mobile phone applications and WiFi services;
• When you take part in our competitions or promotions;
• If you participate in surveys.
• Data about your transactions with us, including your payment history, details of occupation, attendance and gaming activity with us;

Data we collect from third parties, including, but not limited to:

• Data we receive from Central Credit, our business partners and other third parties such as ID data, criminal history, creditworthiness and insolvency records;
• Public data sources such as HM Land Registry, Companies House and Interpol; and
• Social networks.

• The data that we collect from you may be transferred to, and stored at, a destination outside the United Kingdom as well as the European Economic Area ("EEA"). It may also be processed by employees operating outside the United Kingdom and the EEA who work for us. Such employees may be engaged in, among other things, the provision of any requested services, the processing of your payment details and the provision of support services.
• All data you provide to us is stored on secure servers. If you use our site to send personal data to us, your transmission will be protected by Secure Socket Layer (SSL). SSL is a technology that encrypts your data during transmission.
• Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. You must not share your password with anyone.
• The transmission of data via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your data, we will use strict procedures and security features to try to prevent unauthorised access.

The processing of your personal data will be based on the various lawful basis described in the 'Uses made of your data' or as otherwise disclosed to you at the time of collection, and as otherwise permitted by law.

We may use your personal data for the following purposes:

• To operate our Met Card Program. This is necessary for us to perform our contractual obligations to you;
• To provide you with data about news, events, products, promotions or services that you request from us or which we feel may interest you, based on your preferences. You may be contacted about these by e-mail, SMS, instant messaging or post. To the extent that we require your consent for such communications (such as direct marketing emails) and you give it to us, we rely on your consent for providing you with the data concerned. You can withdraw your marketing consent at any time;
• Where we do not require your specific consent, such communications are necessary for our legitimate interests in studying how customers use our services or digital content, developing them, expanding our business and informing our marketing strategy;
• To carry out our other obligations arising from agreements or contracts (including our obligations to you as a customer of our casinos or online services) entered into between you and us. This is necessary for us to perform our contractual obligations to you;
• To notify you about changes to our policies, terms and conditions or to personnel of Metropolitan Gaming. This may be necessary for compliance with our legal obligations or performance of our contractual obligations to you or may be necessary for our legitimate interest in developing our business and operations from time to time;
• To perform background checks for any reason (to the extent permitted by applicable laws or regulatory obligations), which includes but is not limited to any investigation into your identity, any credit checks or any enquiries into your personal history. This is necessary, in some instances, for compliance with our legal obligations and, in others, our legitimate interest in running our business efficiently, minimising the risk of bad debts, preventing fraud and fulfilling our regulatory obligations to ensure that customers are gaming safely and affordably;
• To confirm the source of funds using confirmation packets and verifying this data with other casinos. This is necessary, in some instances, for compliance with our legal and regulatory obligations and, in others, our and/or other casinos' legitimate interests in minimising the risk of bad debts and preventing fraud;
• To create a more accurate and complete customer profile to gain a better understanding of the products and services you want to use. This is necessary for our legitimate interests in keeping our records updated and studying how customers use our services or digital content;
• To cash your cheques and to process debit-card and other financial transactions. This is necessary for the performance of our contractual obligations to you and, in the context of debt recovery, our legitimate interest in recovering any debts due to us;
• To detect, investigate, report and seek to prevent financial crime (or suspicions of) and problem gambling to comply with the regulations that apply to us. This is necessary for compliance with our legal and regulatory obligations; and
• Otherwise permitted by you, or where we are required by law to do so.

Metropolitan Gaming will not sell or rent to any third party any of the personal data that we collect in relation to you.

Please note that, where you have given your consent to the processing of your personal data, you may withdraw your consent at any time. Any such withdrawal will not affect the lawfulness of any processing previously made on the basis of your prior consent.

We may disclose and transfer your personal data to any entity, affiliate and subsidiary of Metropolitan Gaming, or any partner company with which we have a services agreement, including those based outside of the EEA and including our parent company, Metropolitan Gaming, based in the United States of America.

Where your personal data is transferred to a country outside the UK or EEA, we will enter into model contractual clauses, including International Data Transfer Agreement clauses, or other templates as adopted by the European Commission, or issued by any UK statutory body such as the ICO. We will rely on individual country adequacy status or binding corporate rules where our service providers have adopted such internal policies approved by the UK and EU data protection authorities.

We may also disclose data that we collect from or about you with non-affiliated third parties as permitted or required by law, including those based outside of the EEA:

• Third-Party service providers - We work with many different service providers and other third parties who process your personal data on our behalf. We only do business with companies that meet our standards on the processing of data and security, and we only share data that is necessary for the service.
• Business transfers; bankruptcy - If Metropolitan Gaming or substantially all of its assets are acquired by a third party or in the event of a merger, reorganisation, joint venture, assignment, spin- off, transfer, or sale or disposition of all or any portion of our business, including in connection with any bankruptcy or similar proceedings, we may transfer any and all personal data to the relevant third party.
• Compliance with legal obligations - We may disclose personal data if we are under a duty to disclose or share your personal data in order to comply with any legal obligation or process; or to comply with any legal requirements of any governmental authority, including, but not limited to, gaming regulators; or in order to enforce the terms of loyalty program membership with you and other agreements.
• Protection of our business and customers - We may disclose personal data to protect the rights, property or safety of Metropolitan Gaming, our customers or others. This includes exchanging data with other casinos, companies and organisations for the prevention and detection of crime and problem gambling. For example, in order to protect our business from criminal activity and to comply with the Licensing Objectives of the Gambling Act 2005 (i.e. preventing gambling from being a source of crime or disorder, being associated with crime or disorder or being used to support crime), we may share your personal data such as name, ID card/ passport data, contact details, gambling records, photographic images and relevant incident/ accident details with other UK land-based casino operators, or if you are found to have committed a crime, such as, but not limited to, cheating, theft, money laundering or robbery.
• Fraud prevention - As part of our registration ID and verification process, we may conduct identity verification using a recognised fraud prevention agency.

Our website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. We do not expressly or impliedly endorse the materials disseminated at those websites, nor does the existence of a link to another site expressly or impliedly mean that the organisation or person publishing at that site endorses any of the materials on our site. Links to other websites are provided only as a convenience to our users and for data only. We have no control over the contents of those sites or resources and accept no responsibility for them or for any loss or damage that may arise from your use of them.

If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies.

Metropolitan Gaming websites

For users of our websites, we have a separate Cookie Policy, which describes our application and use of cookies in relation to your browsing activities and related data.

How long do we store your data for?

We will process your personal data for as long as it is necessary to fulfil the purposes outlined in this Data Processing Notice after which it will be retained for a defined period as stipulated in the MG Data Retention Policy. Once this period, or any subsequent change in the retention period has expired, it will be securely deleted.

Marketing consent

You have the right to ask us not to use your personal data for direct marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes. You can exercise your right to prevent such processing by leaving certain boxes unticked on the forms we use to collect your data. You can also exercise the right at any time by contacting us to opt out of direct marketing communications at marketing@metropolitangaming.com or 020 7518 0000. You will need to indicate whether you wish to opt out of direct marketing communications from Metropolitan Gaming casinos (this is the default choice) or from the entire Metropolitan Gaming.

If you prefer not to receive emails or SMS messages from Metropolitan Gaming Group, you can click on the 'unsubscribe' option found on the bottom of all our email and SMS marketing communications or you may contact us at marketing@metropolitangaming.com or 020 7518 0000.

In certain circumstances, you have the following legal rights in relation to your personal data (to the extent consisting of "personal data" in the EEA and countries with similar data protection laws, and so we use that term in the rest of this paragraph). We may ask you for additional data, so that we take reasonable steps to check that - for example - we only provide personal data to the person to whom the data relate.

• Right of access to your personal data (commonly known as a "data subject access request" or "DSAR"). This enables you to receive a copy of the personal data that we hold about you and to check that we are lawfully processing such data.
• Right of rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, although we may need to verify the accuracy of the new data that you provide to us.
• Right to erasure of your personal data. This enables you to ask us to delete or remove personal data in certain circumstances. Please note, however, that we may retain your data in certain circumstances in accordance with law, or regulatory reasons, which will be notified to you, if applicable, at the time of your request.
• Right to restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
  (a) if you would like us to establish the accuracy of such data;
  (b) where our use of the data is lawful, but you do not want us to erase it;
  (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
  (d) you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
• Right to portability of your personal data to you or to a third party. If you so request, we shall provide you, or a third party that you have chosen, with a copy of your personal data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated data that you initially provided consent for us
  to use, and is in the whole mechanically processed, or where we used the data to perform our contract with you.
• Right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation that makes you want to object to processing on this ground, in which case we will consider whether we have compelling reasons to continue to process your data.
• Right to object to direct marketing. You also have the right to object where we are processing your personal data for purposes of direct marketing.
• Right to withdraw consent at any time where we are relying on consent to process your personal data. If you withdraw your consent, we may not be able to provide certain products, content or services to you.
• Right to complain in the UK or elsewhere in the EEA. If you would like to register a complaint, please contact us. This does not override your right to complain to the relevant supervisory authority at any time.