The protection of your privacy is important to us. We respect your personality and privacy and ensure that they are protected and that your personal data are processed in accordance with the law. The legal basis for the protection of personal data for people who are ordinarily resident in the EU area or the Principality of Liechtenstein differs from the legal foundations for people who are ordinarily resident in Switzerland. As the provisions of the European General Data Protection Regulation (GDPR) are stricter than Swiss data protection legislation, the relevant articles of the GDPR are listed. However, the applicability of the different legal bases depends on the relevant personal, factual and geographical area of validity.
Personal data includes all details and information that relate to identified or identifiable individuals. In addition to your contact details such as name, phone number, home address or e-mail address, this also includes other details that you provide to us, such as your date of birth.
I. Responsibility for data processing
Swisslos Interkantonale Landeslotterie Genossenschaft (Swisslos) is responsible for processing your data.
If you have any questions or suggestions with regard to data protection, you may contact our Data Protection Officer, Ms Laura Grüter Bachmann, at any time, either by phone on 0848 877 855, or by post at:
Swisslos Interkantonale Landeslotterie
Data Protection Officer
Lange Gasse 20
or via e-mail at: email@example.com.
For natural persons ordinarily resident in the countries of the European Union (incl. the Principality of Liechtenstein) and for the country-specific supervisory authorities provided for in accordance with the General Data Protection Regulation (GDPR), we hereby appoint as EU data protection officer pursuant to Art. 27 GDPR the following person:
EU data protection representative pursuant to Art. 27 GDPR:
e-comtrust international ag
Achterdiek 28 b
Tel. 0049 (0)421 849 198 00
II. General information about data processing
1. Legal bases
Currently, the basis for the processing of personal data by Swisslos is the Gaming Contract, which is concluded between Swisslos and a game participant if
- the player is registered and has confirmed acceptance of the Terms and Rules and Rules of Play in force for the respective product as well as the Terms and Rules for Internet Games;
- the stake for the respective transaction or play request has been placed;
- the participation transaction data have been transferred to Swisslos, the product has been bought, participation has been recorded on the Swisslos servers in accordance with the regulatory provisions and
- a corresponding entry confirmation ticket has been generated on the Internet Gaming Platform (ISP).
Art. 6 para. 1 b) of the GDPR thus comes into effect as the legal basis for the processing of personal data.
Further, Swisslos is authorized and required to collect personal data and, if necessary, notify the supervisory authorities pursuant to Art. 6 para. 1 c) GDPR and on the basis of the following legal provisions:
- Art. 51 of the Federal Act on Gambling (GamblA) of 29 September 2017 and Art. 41 of the Implementing Ordinance governing gambling of 7 November 2018
- Art. 46ff. Implementing Ordinance
- Art. 64 para. 3 GamblA and Art. 73f. Implementing Ordinance
- Art. 67f. GamblA and Art. 3ff. of the FDJP ordinance on due diligence requirements to be met by organizers of major gaming events in order to combat money laundering and the financing of terrorism (GwV-EJPD) of 7 November 2018, Art. 9f. GwV-EJPD and Art. 7 Anti-Money Laundering Act (AMLA) of 10 October 1997 in conjunction with Art. 23 GwV-EJPD
- Art. 78 para. 2 GamblA
- Art. 82 GamblA and Art. 85 of associated Implementing Ordinance
- Art. 109 GamblA
Furthermore, the legal basis for the processing of personal data arises from Art. 6 para. 1 a) and f), and especially explicit consent from our customers to process the personal data pertaining to them for one or more specific purposes.
2. Scope of processing of personal data
Our processing of our customers' and suppliers personal data is restricted to those data that are required to provide a well-functioning website and our contents and services as well as for the fulfilment of the contract. Our customers' and suppliers personal data are processed solely for the purposes agreed with them or if another legal basis exists (within the scope of the GDPR or Swiss data protection legislation). This may arise, for example, from technical necessity, contractual or legal requirements, or prevailing interests, i.e. for legitimate reasons, or if you expressly consent. Only those personal data which are actually required for the execution and management of our duties and services are collected, such as managing the customer relationship, managing the supplier relationship, providing our services, managing our games and contracts, complying with legal requirements, sales and payment transactions, responding to questions and concerns, information about our products and services as well as their marketing, and support for technical issues.
3. Your rights
Rights of the person affected (data subject rights)
You have the right to request information about your personal data which is processed by us within the framework of the data protection legislation applicable to you and to the extent given therein (such as in the case of the GDPR). In particular, you may request information about the purposes of processing, the categories of the personal data, the categories of recipients who are or were provided with your data, the planned retention period, the existence of a right to the rectification, deletion or restriction of processing, the origin of your data if this was not collected by us, as well as the existence of an automated decision-making tool, including profiling.
Right to object
If you have expressly consented to the use of your personal data, you also have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data pertaining to you based on Art. 6 para. 1 f) of the GDPR.
The responsible party will no longer process the personal data unless they can demonstrate compelling legitimate reasons for the processing which override the interests, rights and freedoms of the affected person, or for the assertion, exercise or defence of legal claims.
If you believe that the processing of your personal data by us contradicts the applicable data protection provisions, you may complain to the data protection authority. The responsible data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch). In Liechtenstein, this is the Liechtenstein Data Protection Authority (https://www.datenschutzstelle.li).
Exercising these rights requires you to clearly prove your identity (e.g. with a copy of identification if your identity is not clear or cannot be verified). You may contact us at the address provided in Section I. to assert your rights.
Right to object
If and to the extent that you have consented to Swisslos processing your data with a corresponding declaration, you may revoke your consent for the future at any time. For newsletters, etc. you can revoke this consent yourself by clicking on the unsubscribe link or in your game account under "Newsletter".
4. Retention period of your data
Your data are deleted once they are no longer required to fulfil the purpose for which they were collected (e.g. as part of a contractual relationship). Data will be blocked rather than deleted if legal or actual obstacles prevent the data from being deleted (for example, statutory retention obligations in accordance with the Swiss Code of Obligations or special legislation).
III. Description and scope of data processing
1. Data collection at the point of registration and when purchasing services
For regulatory and contractual reasons, access to the chargeable offerings on the Internet Gaming Platform provided by Swisslos (website, apps) is only possible by registering and thus opening a customer account. To do so, we require the following personal details:
- Last name, first name
- Date of birth
- E-mail address
- User name
- Copy of identification (ID card, residence permit or driving licence)
We retain these data for as long as you have a customer account and until the statutory retention periods have expired.
When you purchase and/or play with products on the Internet Gaming Platform, in addition to the data required for registration – depending on the product or service – we collect the following data:
- Gaming transactions (participation, winnings, cancellations)
- Date and time of access
- Purchase date and duration of subscriptions incl. stake
- Purchase channel (Internet, app, etc.)
- IBAN no.
After two years, deactivated accounts are physically deleted by Swisslos without consultation with the account holder; as part of this process, a PDF containing the customer data is created and stored for a period of 10 years.
If a product is purchased at a sales outlet, and a prize is won which must be redeemed from Swisslos owing to its value, the winner's title, last name, first name, address, telephone number (if available), e-mail (if available), date of birth, language and bank details, together with the amount won, are stored for a period of ten years (sports bet wins of CHF 5,000 or more and other wins of CHF 10,000 or more) or three years (all other wins).
Within the context of the legal obligation upon us to ensure due diligence in the combating of money laundering, in the prescribed cases we must also collect the following personal data:
- Nationality (incl. copy of an official identification document)
- Classification as a foreign politically exposed person, or a person who is a close associate of such
- Classification as a domestic politically exposed person, or a person who is a close associate of such
- Declarations by players regarding beneficial owners
- Documents including notes on the results of special investigations
- Documents including notes on the risk classification and on the results of the application of risk characteristics.
The deletion of data collected as part of money laundering prevention activities is carried out in accordance with Art. 23 of the FDJP anti-money laundering ordinance.
Within the context of player protection, the documents regarding your personal, professional and financial situation that are required from you to fulfil the legal obligations are:
- Salary certificates
- Statement of assets and/or tax documentation
- Extract from the debt collection register
- Player information
If a gaming ban is put in place under Art. 80 of the Gambling Act, the blocked players and information about their identity, as well as the type and reason for the gaming ban, is entered in the Swiss ban register, VETO.
The basis for this data processing is Art. 6 para. 1 b) and c) of the GDPR.
2. Data collection when working with suppliers
As part of a supplier relationship, the following personal data are processed:
- Company name
- Title of supplier’s representative
- First and last names of supplier's representative
- Supplier’s address
- Title of contact person
- First and last names of contact person
- Telephone number of contact person
- E-mail address of contact person
We retain these data for as long as the contractual relationship with Swisslos is in force and until any statutory retention periods have expired.
3. Identity, credit and KYC check
You are advised that the application and order data provided for the purposes of checking your identity are compared with data that Swisslos obtains from CRIF AG (www.myCRIFdata.ch/#/dsg) and data from the Swiss Post web service (Kompetenzcenter Adressen, Kriens). In Switzerland, CRIF AG is a provider of credit risk management, fraud prevention and address management solutions for every phase of the customer relationship cycle. In the context of player protection, credit checks are also carried out by CRIF AG in certain situations.
In the context of money laundering prevention, your application and order data provided as part of additional clarifications are compared with the KYC and/or due diligence data from LexisNexis GmbH, Düsseldorf. Swisslos does not transmit any personal data to Lexisnexis GmbH.
The basis for this data processing is Art. 6 para. 1 c) of the GDPR.
4. Customer communication in the context of money laundering prevention and early detection in player protection
As part of its legal obligation in the areas of money laundering prevention and early detection in player protection, Swisslos may send you information on measures or request the submission of documentation or contact you (mainly by e-mail, SMS, telephone or post). To this end, your personal data listed in III/1 and 2 will be processed.
The basis for this data processing is Art. 6 para. 1 c) of the GDPR.
5. Data processing for the purpose of marketing communication
From time to time, Swisslos would like to send you information regarding offers and news regarding its products and services (e.g. via e-mail). To this end, your personal data collected during registration and use of the Swisslos game account will be processed for marketing and analysis activities. Specifically, this includes title, first name, last name, e-mail address, date of birth, your contract and subscription details, information about individual games or other services purchased (as well as your clicking behaviour on our websites). However, Swisslos will obtain your express permission in advance.
When you receive information and offerings for marketing purposes, on each occasion you have the opportunity to unsubscribe from receiving any further messages. To this end, each e-mail contains an unsubscribe link which you can click on to prevent further messages. If you have a Swisslos customer account, you can log in at Swisslos.ch and manage your settings for marketing messages at any time under "Newsletter" in your user account. You can arrange the settings for push messages in the apps directly on your smartphone. More information can be found in section 12.
Each year, Swisslos sends out a company mailing (product ordering option for companies). This mailing is sent to addresses of companies that have already ordered from Swisslos in the past in connection with this company mailing, as well as to addresses it obtains from Künzler-Bachmann Directmarketing in St. Gallen. If you have any questions or wish to object to this, please contact this company directly by e-mailing firstname.lastname@example.org, calling 071 314 04 04 or going to https://kbdirect.ch/datenschutz/.
When you receive company mailings (product order option for companies), on each occasion you have the opportunity to unsubscribe from receiving any further messages.
The basis for this data processing is Art. 6 para. 1 a) of the GDPR.
6. Data processing for market research purposes
We occasionally conduct our own market research to continuously improve the quality of our services and offers. We may therefore use your contact details for online surveys if you are registered to receive a newsletter. To this end, we will write to you in person to invite you to participate. We will then evaluate your survey responses in a neutral and pseudonymized form, without any connection being made to your name. The data collected in this way will also not be passed on to third parties and will be deleted once the market evaluations are complete and after a maximum of 360 days.
The basis for this data processing is Art. 6 para. 1 a) of the GDPR.
7. Data processing when using our websites
In principle, you can visit our websites without having to provide any personal details. When you visit our websites, our servers store each retrieval temporarily in a log file. During this process, the following technical data are collected and stored by us for up to six months, after which they are automatically deleted:
- IP address of the requesting computer
- date and time of access
- website from which the site was accessed, with the search word used if possible
- name and URL of the file accessed
- searches conducted
- your computer's operating system (provided by the user agent)
- the browser you use (provided by the user agent)
- device type if the site is accessed on a mobile phone
- transmission protocol used
These data are collected and processed for reasons of system security and stability and for error and performance analysis, as well as for internal statistical purposes, and they enable us to optimize our Internet offering.
Moreover, these data are analysed for clarification and defence in the event of attacks on the network infrastructure or other unauthorized or improper use of the website, and if necessary used for identification purposes and for civil and criminal proceedings against the user concerned.
The basis for this data processing is Art. 6 para. 1 f) of the GDPR.
8. Data processing where further websites are used (within the framework of partnerships, roadshows and microsites)
Data collected via Swisslos within the framework of partnerships, roadshows or microsites on a website other than Swisslos.ch through active data entry on your part and with your express consent will be stored by Swisslos in accordance with the consent expressly given as part of this campaign and used for marketing purposes. These data will be stored until revoked. At no time will data be passed on to third parties.
You may withdraw and revoke this express consent at any time in accordance with the conditions of section II/3 (Right to object).
The basis for this data processing is Art. 6 para. 1 a) of the GDPR.
You have the option of changing your personal cookie settings in the browser.
10. Tracking tools
We use Google Analytics, Google reCAPTCHA and web analysis services provided by Frosmo to provide a needs-oriented website design and to continually improve our websites, apps and e-mails.
Pseudonymized user profiles are created and small text files (cookies), which are stored on your computer, are used in connection with our websites. The information produced by these cookies about your use of this website are transferred to the servers of these service providers, and stored and prepared for us there. In addition to the data listed under section 7, we also receive the following information:
- Navigation path that a user takes on the website
- Amount of time spent on the websites
- Website from which Swisslos.ch is left
- Country, region or town/city where the website is accessed
- Device (type, version, colour depth, resolution, width and height of browser window)
- Returning or new visitor
- Transactions carried out (e-commerce)
This information is used to evaluate the use of the websites.
Swisslos uses the remarketing function of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA („Google“) on its website. This function is implemented via a cookie and serves to present interest-based advertisements to visitors to the website as part of Google's advertising network. On these pages, the visitor may be presented with advertisements that relate to content that the visitor has previously viewed on other websites. By its own account, Google does not collect any personal data during this process. If you still do not want the remarketing function, you can deactivate it by changing the relevant settings at http://www.google.com/settings/ads. You can view further information about Google Remarketing and Google's data protection declaration at: http://www.google.com/privacy/ads/.
Below is some additional information about the tracking tools we use:
a. Google Analytics
You can prevent cookies from being stored by altering the settings of your browser software. We would point out, however, that this may stop you from making full use of all this website’s features.
If you wish to prevent your data from being used by Google Analytics, you can also click on the following link to download and install a browser add-on to deactivate Google Analytics: http://tools.google.com/dlpage/gaoptout?hl=en.
b. Google reCAPTCHA
We use "Google reCAPTCHA" (hereinafter "reCAPTCHA") on our websites. The provider is Google Inc ("Google"). reCAPTCHA is used to check whether data entry on our websites (e.g. when logging in) is carried out by a human or by an automated programme (Turing test). For this purpose, reCAPTCHA analyses the behaviour of website visitors on the basis of various characteristics. This analysis begins automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, time spent by the website visitor on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google.
The reCHAPTCHA analyses run entirely in the background. Website visitors are not made aware that an analysis is taking place.
We use this tool to protect our customer accounts from abusive access attempts.
The basis for this data processing is Art. 6 para. 1 lit. f oft he GDPR.
For the visual design of our website and many other technical functions we rely on scripts produced by Frosmo Ltd., Kaivokatu 8B, FI-00100 Helsinki (Frosmo).
Frosmo uses cookie files to ensure technical functionality and to find and rectify errors where necessary. The data transmitted to Frosmo comprise a server logfile, which contains e.g. your IP address, date and time of retrieval, amount of data transferred and the requesting provider (access data) and documents the retrieval. In addition, static values about the amount of time spent on the site, the number of pages retrieved and the actual retrieved pages are transmitted. The products you play are also transmitted to Frosmo for the purpose of ensuring functionality. The data are always transferred in an encrypted, anonymized or pseudonymized form and are not evaluated systematically. Frosmo is contractually prohibited from forwarding data for any other purpose than that agreed upon. The retention period is a maximum of 365 days, after which the data are automatically deleted.
Please note that our Internet Gaming Platform only functions in an extremely limited manner if Frosmo is not activated.
When sending e-mails we use e-mail marketing services provided by Inxmail. Our e-mails may therefore contain a web beacon (tracking pixel) or a similar technical tool. A web beacon is a 1x1 pixel-sized, invisible graphic which is linked to the user ID of the e-mail subscriber in question. Web beacons are not cookies and are at no time stored or implemented on the device of the e-mail recipient.
Drawing on these services makes it possible to evaluate whether our e-mails are opened by recipients. It is also possible to record and evaluate their clicking behaviour. We use these data for statistical purposes and to optimize the content of our messages. This enables us to better tailor the information and offers in our e-mails to the individual interests of each recipient. The tracking pixel is deleted when you delete the e-mail.
To prevent the use of the web beacon in our e-mails, change the settings of your e-mail program so that HTML is not shown in messages.
Swisslos offers you the opportunity to play different products using several apps.
When using the Swisslos apps, the following data are processed as follows:
- Depending on the setting in the app, the user name and password are stored as part of the login process. If you click on "Register" in the app, registration is carried out in accordance with III/1 on the Internet Gaming Platform frontend. The app does not store these data.
- Plays purchased and/or the entry confirmation ticket data created for these are transmitted after login and used while the app is running to set out the gaming history. Nothing is saved in the app. Anonymous tracking data (number of users and sessions, session duration, operating systems, device models, region, first-time starts, app executions, app updates and in-app purchases) that are collated as standard by Google Firebase within the framework of Google Analytics are collected. See: https://support.google.com/firebase/answer/6317517?hl=en&ref_topic=6317489
- Crash reports are generated in accordance with https://support.google.com/firebase/answer/6400845, sent to Google Firebase, and visualized accordingly in the Swisslos customer account.
Location detection in Android apps
In order to offer its Android apps in the Google Play Store, Swisslos must ensure that the app can only be used within Switzerland, in accordance with the Google guidelines.
The location is detected by means of the IP address of the device used (smartphone, tablet, etc.). To do so, the IP address is sent to Swisslos, which then checks to see whether or not the IP address is registered in Switzerland.
If an IP address is identified that is registered outside Switzerland, the device location will be queried using Android’s own location services.
More information on location detection in Android apps:
12. Push messages in apps
We use push messages to notify you of processes that may require your particular attention or a reaction from you.
When loading for the first time, the app registers with Google Firebase for the corresponding push messages. The default setting is for push messages to be deactivated. In iOS, the operating system explicitly asks for the customer's approval when the app starts. An individual token which is stored in the Google Firebase system (in the relevant Swisslos account) is generated for Google Firebase. If there is a message to be sent, Google Firebase takes over the delivery attempts to the mobile device. This requires access to the relevant push services of the operating system manufacturer (Apple notification service, Google push services). The individual push messages (e.g. jackpot, news) are sent out by an application (push server) installed at Swisslos. The push server sends this information to Google Firebase. Google Firebase then takes care of transmitting this to all mobile phones which have subscribed to the push message.
13. Newsletter (without customer account)
If you register to receive one of our newsletters, we immediately send an e-mail containing a hyperlink to the e-mail address provided. Click on this link to confirm your registration for the newsletter (double opt-in procedure). If you do not confirm your registration within 30 minutes, the link which was sent becomes invalid. After 24 hours, the e-mail address in our temporary list of prospective subscribers is deleted permanently and registration is cancelled.
By confirming registration for the newsletter, you also consent to the storage of your title, first name, last name and e-mail address, including the date that you applied to register. These data will be stored for as long as you use the newsletter service.
You can unsubscribe from the newsletter service at any time by clicking on the Unsubscribe function at the bottom of every newsletter. You can also request that the newsletter service be deactivated by sending an e-mail to email@example.com. After an internal check of your deregistration and an identity check, your registration and the associated personal data for the newsletter service will be deleted.
14. Contact form
You have the option of using a contact form to contact us. To do so, you must provide certain personal data.
We use these and any other data you enter voluntarily (such as title, address, phone number) solely to respond to your enquiry in an optimal and personalized manner. In addition, your data are stored for internal statistical purposes in an anonymized form and in connection with the reason for contact.
We store all e-mails that we receive via the contact form, as well as any correspondence arising from them in cases of player protection or prize payouts, to be able to process the cases or the payouts.
15. Contact with the Swisslos Customer Service Centre
If you phone our Swisslos Customer Service Centre, your conversation is recorded for training purposes and potentially to serve as evidence if required. You will be notified that the call is being recorded at the beginning of your call. The recordings are deleted after six months.
16. Contact with the Swisslos Player Protection unit
Players, their relatives, or third parties have the option of phoning our Player Protection Officer. We record and store data which is provided voluntarily (such as name, place of residence, telephone number, products played, personal situation). However, this is solely to enable us to handle your enquiry in an optimal and personalized manner.
If this results in a player protection case, the data will be processed within the scope of III/1 and 2.
You can participate in interactive forums, such as chat (e.g. Bingo), on Swisslos.ch and other online offerings from Swisslos. Please bear in mind that any information that you divulge in these chats will become public. Suspicious and unlawful statements (e.g. problems with gambling addiction, racism, hate speech, abusive language, etc.) are recorded and stored. In such cases, Swisslos will press criminal charges.
18. Data processing by third parties in Switzerland or abroad
Swisslos ensures that when data is transferred to countries which do not have adequate data protection, the necessary measures (usually the conclusion of recognized data protection contracts, e.g. based on the EU standard contractual clauses) are taken to protect personal data in accordance with applicable data protection legislation.
Your personal data will be transmitted to the following third parties if necessary:
- Gespa – Swiss Gambling Supervisory Authority
The following data processors:
- Service providers in the areas of marketing, IT, gaming products, payment services and credit agencies
Personal data is only passed on to data processors for purposes that match those purposes for which Swisslos collected personal data, e.g. to fulfil its contractual obligations.
Your personal data will also be transmitted to the following independent controllers if necessary:
- Service providers for sport media and the sports betting industry
This means that Swisslos works with these companies but they do not act as data processors. As independent controllers, these companies decide for themselves how personal data is processed.
IV. Data security
We employ suitable technical and organizational security measures to protect your personal data stored by us from manipulation, partial or total loss, and against unauthorized access by third parties. We are certified in accordance with ISO 27001. Our security measures are continuously improved in line with technological developments.
We also take data security within the company very seriously. Our employees undertake to ensure confidentiality within the framework of their employment contract, and the external service providers contracted by us undertake in writing to adhere to the provisions on data protection.
We take appropriate precautionary measures to protect your data. However, the transmission of information over the Internet and other electronic means always carries certain security risks, and we cannot guarantee the security of information transmitted in this way.
In the event of any breaches of data protection, Swisslos is bound by the requirements regarding notification of the supervisory authorities (Art. 33 GDPR) as well as the obligation to inform the persons affected (Art. 34 GDPR).
Valid as of 1 September 2023