|Date of latest review
|25th May 2018
|GDPR entry into force
|8th June 2023
|Privacy is a fundamental human right and persons engaging with EM Group must trust that their personal data is handled with care. Therefore, protection of privacy and security of Personal Data is very important to EM Group. Any processing of Personal Data relating to identified or identifiable natural persons may only be processed in accordance with this Policy.
|The Global Risk & Compliance Board is EM Group’s highest decision-making and executive body deciding on all risk and compliance matters that may impact the EM Group.
|Natural person or company with which EM enters into a business relationship.
|The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of Personal Data;
|Natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.
|It is any freely given, specific, informed and unambiguous indication of the data subject by which he or she agrees with the processing of their Personal Data.
|Personal Data Breach
|A breach of security leading to the accidental or unlawful destruction, loss, alteration, compromise, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by or on behalf of EMG, and which triggers regulatory obligations.
|Personal Data Incident
|An event that involves or could involve Personal Data and which has the potential to become a Personal Data Breach. For the purpose of this Policy, Personal Data Incident may also refer to potential Personal Data Breach.
|Data Protection Laws
|The legislation regarding data privacy which may be applicable, based on the location of the EM service provider and of the Data Subject, such as the EU General Data Protection Regulation 2016/679 (“GDPR”), UK GDPR, Personal Data Protection Act (PDPA) Singapore, or any other applicable data protection, privacy laws or privacy regulations.
|A natural person to whom Personal Data relates and who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, etc.
|Data Protection Officer
|Entities that jointly determine the “means and purposes” of the processing of Personal Data.
|Any information that relates to an identified or identifiable living individual(“Data Subject”). Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Personal data that has been de-identified, encrypted or pseudonymisedbut can be used to re-identify a person remains personal data.
|Processing of Personal Data
|Any operation or set of operations performed on Personal Data or on sets of Personal Data, whether by automated means, such as collecting, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
|Recipient is a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a Third Party or not.
|The legal or natural person appointed by the processor to process Personal Data on behalf of the Controller.
|An individual or a company (i.e. consultants, agents, intermediaries, representatives, subcontractors, suppliers) that performs work, provides a service or sells goods to EM.
|EMG Staff (Employee)
|Natural person who works part time or full time under a contract of employment (employment agreement) with a EMG entity or a natural person providing managerial services to EMG based on an agreement between EM and the natural person directly or via a management company indirectly, as well as other persons who act on behalf of EMG within the scope of its business activities and who are therefore in a similar position to the EMG staff, but who are not employed by EMG (e. g. self-employed or temporary workers).
|Ultimate beneficial owner
 Controller, Joint Controller and Processor, and DPO are terms based on the GDPR, which will be only used for jurisdictions outside the European Union in those cases where GDPR is applicable or the local legislation implements similar terms (such as the PDPA in Singapore or UK GDPR).
2. Background, Scope & Purpose
In this policy, “EM Group”, “EMG’, “EM,” “our”, “we” or “us” refers to the global group of entities within the EM Group, each of which is a separate legal entity, or refers to one or more of those entities. The controllers of Personal Data are one or more of the EM entities listed in Annex I hereto “List of EM Entities & Data protection authorities and legislation”.
EM entities in countries outside the European Union (EU) have appointed Trustmoore Coöperatief U.A. as representative in the EU.
EM recognizes the expectations of its Clients, Employees and other Third Parties, and the inherent risk regarding the privacy, confidentiality and security of their Personal data when it resides within EM.
EM globally applies this Policy as a minimum standard for protecting Personal Data of its Clients and Employees around the world. Each EM entity will ensure the application of local regulations . In particular, EM entities (Data Controllers) will ensure that data privacy and protection is methodically embedded into relevant business processes and procedures and integrated into affected IT systems and applications (Privacy by design and by default). EM entities (Data Controllers) consider the state of the art, cost of implementation and the nature, scope, context and purposes of processing, as well as the severity and likelihood of risks to the rights and freedoms of Data Subjects posed by the processing. Thus, EM Entities implement appropriate technical and organizational measure (e. g. pseudonymization and data minimization) in an effective manner and integrate the necessary safeguards into the processing of Personal Data.
 Please refer to Annex I ‘List of EM Entities & Data protection authorities and legislation’ for more information.
3. Types of Personal Data
The Personal Data that EM collects and processes may depend on the type and scope of the activities engaged:
|Types of personal data
|Clients, UBOs, directors of Client companies and affiliate entities, Client’s shareholders, Client’s employees, business associates (contact persons, ambassadors, etc.)
|Name (first name, middle name, family name), address, telephone, email, nationality, date of birth, place of birth, gender, Tax / Social / National identification number, job title, Client ID (IDs, passport, driving license), signature, bank account details, financial information, user account details, professional life data, personal life data;
|Clients, UBOs, directors of Client companies and affiliate entities, Client’s shareholders, Client’s employees, business associates (contact persons, ambassadors, etc.)
|Name (first name, middle name, family name), address, telephone, email, nationality, date of birth, place of birth, gender, Tax / Social / National identification number, compensation and benefits financials, job title, Client ID (IDs, passport, driving license), signature, bank account details, financial information, professional life data, personal life data, criminal record (if required by law);
|E-Gambling License application
|Clients, UBOs, shareholders (if natural persons), directors of Client companies and affiliate entities, Client’s shareholders, Client’s employees, business associates (contact persons, ambassadors, etc.)
|Name (first name, middle name, family name), address, telephone, email, nationality, date of birth, Place of birth, gender, Tax / Social / National identification number, compensation and benefits financials, user account details, job title, Client ID, signature, bank account details, financial information, professional life data, personal life data;
|Human Resources and Payroll
|Employees, candidates, managers
|Name (first name, middle name, family name), address, telephone, email, nationality, date of birth, place of birth, gender, marital status, Tax / Social / National identification number, compensation and benefits financials, user account details, job title, Employee ID, signature, bank account details, health status related data, CVs, education, employment information, work history, declaration of good behaviour/extract of criminal record (if required by law).
|Managers or other designated individuals
|Name, name of employer, phone, email and other contact details.
In few cases, as some of the EM entities are licensed and regulated under a strict set of rules, e.g. when applying enhanced due diligence measures as per the applicable AML&CTF legislation and performing background checks and screenings thereunder, EM may process special categories of Personal Data such as Personal Data relating to: race or ethnicity, membership in trade unions, criminal convictions and offenses by requesting criminal records. EM will only process such Personal Data in order to verify the Data Subject’s background, if there is no other way to confirm it, and with the Data Subject’s consent, after having them informed about the reasons for collecting such Data. EM will apply additional safeguarding measures regarding these types of Personal Data.
Personal Data related to health and health status may sometimes be required in connection with the provision of additional benefits to Employees (such as health insurance) and handling of HR activities (sick leaves). EM will only process such Personal Data with Employer’s consent and after having them informed about the reasons for collecting such Data. EM will apply additional safeguarding measures with regard to these types of Personal Data.
EM does not knowingly process Personal data of minors. EM does not knowingly collect data related to religious or philosophical beliefs, sex life, sexual orientation, political views, information about genetic and biometric data. If however, such data has been obtained by EM, the latter will be immediately and irreversibly deleted.
4. Use of Personal data, Purposes and Legal grounds
4.1. Clients: When a Client engages EM with the provision of professional services, EM will collect and use Personal Data when EM has a valid business reason to do so in connection with those services and legal obligation thereof. In the context of providing professional services to Clients, EM also processes Personal Data of individuals who are not directly EM’s Clients (for example: Client’s employees, customers or suppliers, Ultimate Beneficial Owners, Client’s directors or shareholders, business associates, others as the case may require). The legal grounds for processing such Personal Data are:
- EM’s legal obligations under the AML&CTF legal acts and other applicable legislation in force, as well as EM’s internal KYC procedures;
- Performance of the contract between the Client and EM;
- Legitimate interest in providing the Client with seamless, consistent, high-quality services.
4.2. Employees: EM processes data of its Employees for HR and payroll purposes. EM also does background checks required by law or regulation, for example, adverse media, bribery and corruption, and other financial crime checks.
The legal grounds for processing such data are:
- Legal obligation under the applicable labour legislation;
- Performance of the labour agreement;
- Compliance with a regulatory obligation (when carrying out background checks to warrant a candidate is eligible to work).
4.3. Job Applicants: EM collects information from and about applicants in connection with available employment opportunities at EM. The information that EM collects, the manner in which it is used, and the timing in which it is gathered varies depending on the country in which the applicant applies. Depending on the country in which you apply, EM collects personal data about candidates from the following sources:
- Directly from the applicant – for example, information that an applicant has provided when applying for a position directly through the EM website;
- From recruitment agencies – for example, when a recruitment agency with applicant’s details contacts EM to suggest them as a potential candidate;
- Through publicly available sources online – for example, where the applicant has a professional profile posted online (e.g., on his/her current employer’s website or on a professional networking site, such as LinkedIn)
- By reference – for example, through a reference from a former employee or employer, or from a referee within or outside EM.
Legal grounds for processing personal data of job applicants are:
- EM legitimate interest in attracting, identifying and sourcing talents;
- EM legitimate interest to process and manage applications for roles at EM, including the screening and selecting of applicants;
- Compliance with a legal or regulatory obligation (when carrying out background checks to warrant a candidate is eligible to work).
4.4. Suppliers: EM processes personal data about suppliers (including subcontractors, and individuals associated with suppliers and contractors) in order to manage EM’s relationship and contract with them, and to receive services from the respective suppliers. Before EM takes on a new supplier, EM also carries out audit independence and other background checks required by law or regulation, for example, adverse media, bribery and corruption, and other financial crime checks.
Legal grounds for processing personal data of our suppliers are:
- Performance of the contract between EM and the supplier;
- Compliance with regulatory obligation to perform checks on counterparties;
- Legitimate interest in managing payments, fees and charges;
- Legitimate interest in understanding any conflict of interest, conducting or defending in legal proceedings;
- Legitimate interest in safeguarding against dealing with the proceeds of criminal activities or assist in any other unlawful or fraudulent activities;
EM shall not store, transfer, modify, amend or alter, disclose or permit the disclosure, or process the Personal data in any other way other than as appointed above. In cases where processing is required, but not explicitly envisaged in this Policy, then the affected Data Subject will be notified accordingly and without undue delay.
5. Personal Data retention
Personal data will be kept for the duration of the business relationship with EM and the years afterwards stipulated on local regulations for complying with all legal, regulatory, and internal policy purposes. After expiration of this retention period, the corresponding data are routinely deleted and any hard copies of them are destroyed. For more information refer to EMG Data Retention Policy or contact EMG’s DPO at [email protected].
6. Sub-processing and third parties
EM may be required to appoint certain third parties to provide part of the services to its Clients or Employees, or assist with provision of the services, or render technical support, to which Personal Data may be disclosed, such as: I.T. service providers, banking partners, accountancy and legal firms, auditors or other suppliers (Sub-processors) as required by law or contract. EM may also share Personal Data across the EM Entities.
EM maintains an extensive Third-party register and Outsourcing register. In case a query with respect to these registers is made, the DPO at [email protected] can provide the relevant information.
Sub-processors are in each case subject to the terms and conditions laid down by EM, which are no less protective than those set out in this Policy. EM will inform the Client or Employee of the details of such Sub-processor(s) and types of Personal Data disclosed to them upon written request from the Data Subject. Such requests can be made at: [email protected]. EM will inform the Client or Employee in advance of any intended changes concerning the addition or replacement of Sub-processors and thereby give the Data Subject the opportunity to object to such changes. If the Client or Employee does not object in writing within five (5) days of receipt of the notice, the Data subject is deemed to have accepted the new Sub-processor. If the Client or Employee does object in writing within five (5) days of receipt of the notice, EM and the Client or Employee will discuss possible resolutions.
7. Joint Controllers
In case EM acts as a Director of a Client company (Object company), it may act as a Joint Controller together with the Client. Since EM may be involved in determining the purpose and means of the processing of Personal Data of a Client company, its role as a Joint Controller together with the Client is justified. In all other cases in which EM will provide services to the Client, it will act as a Processor, within the meaning of the Processor definition.
8. Rights of Data Subjects
EM takes appropriate measures to comply with data protection laws in order to ensure Data Subjects rights. In case Data Subjects have any questions, requests or complaints regarding their rights, they are encouraged to contact EM via [email protected]. Any written question, request or complaints should have a clear subject related to the rights of the Data Subjects.
Subject to the applicable local legislation, all Data Subjects will have at least the following rights with respect to their Personal Data:
- The right to withdrawal or revocation of any consent given to EM: Data subjects have the right to withdraw or revoke any consent given to EM unless the applicable legislation requires otherwise.
- The right to be informed: Data Subjects have the right to be informed about the collection and use of their personal data. Data Subjects have also the right to be informed of the recipients or classes of recipients to whom their Personal data has been or may be disclosed.
- The right of access: Data subjects will have a right to access their Personal Data EM can refuse the request if it is manifestly unfounded or excessive. EM will provide its response within a month as of receipt of the request, though this can be extended by two months if the request is too complex.
- The right to rectification: Data Subjects have the right to request from EM the rectification of inaccurate personal data concerning him or her.
- The right to erasure (right to be forgotten): Data Subject can ask that their data is deleted in certain circumstances unless there is a legal obligation or other legal grounds for EM to retain the data.
- The right to restrict processing: Data Subjects have the right to request the restriction or suppression of their Personal Data in certain circumstances.
- The right to data portability: Data subjects will also have a right to data portability where the condition for processing Personal Data is consent or the performance of a contract. It entitles Data Subjects to obtain any personal data they have “provided” to EM in a machine-readable format. Data Subjects can also ask for the data to be transferred directly from one controller to another.
- Right to object: A Data Subject can object to their Personal Data being processed for direct marketing purposes at any time. This includes the processing of their personal data for profiling purposes.
- Rights in relation to automated decision making and profiling: EM does not use automated decision making and profiling.
9. Personal Data Breach
A Personal Data Incident is any event that involves or could involve Personal Data and which has the potential to become a Personal Data Breach. Personal Data Incidents are all potential Data Breaches that have not yet materialized.
A Personal Data Breach exists in case of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Personal Data Incidents and Personal Data Breaches are handled according to the Data Protection Laws and in accordance with EMG Data Breach Procedure whereunder EM entities (Data Controllers) and Data Processors have implemented and maintain effective processes to ensure timely notification to the DPO and respective Data protection authorities.
10. Safeguarding Measures
10.1. Confidentiality and Security
EM keeps the Personal Data confidential and will ensure its Employees, managers and Sub-processors are bound by the same confidentiality obligation.
10.2. Training and Awareness
Local Statutory Board supported by the DPO or CF ensures a proper level of awareness of this Policy by means of providing trainings and awareness sessions to employees, managers and if needed – sub-processors. Each EM employee must adhere to and comply with this Policy and raise any questions and concerns with respect to this Policy to the DPO or CF.
10.3. Technical safeguarding measures
EM has adopted and implements an Information Security Policy governing all technical and organisational measures to protect Personal Data. Some of the technical measures include, but are not limited to:
- Data encryption tools;
- Desktop and laptop firewalls;
- Antivirus and anti-malware software;
- Multifactor authentication approaches;
- Automated patching and security vulnerability assessments;
- Strong physical, environmental, network and perimeter controls;
- Intrusion, detection and prevention technologies;
- Monitoring and detection systems.
11. Transfers of Personal Data
EM entities operate in more than one jurisdiction. Certain aspects of EM’s infrastructure are centralized, including information technology services provided to EM entities. In addition, where engagements with EM Clients span more than one jurisdiction, certain information will need to be accessed by all those within EM who are working on the matter on a need-to-know basis. Therefore, Personal Data may be made available or transferred to and stored outside the country in which Data Subjects are located. This may also include countries outside the European Economic Area (EEA).
By adopting this global Policy, EM ensures appropriate security and legal precautions to protect the safety and integrity of Personal data that is transferred within the EM group. This Policy requires all EM entities worldwide to use the same minimum standards of protection for Personal Data as required by countries Member states of the European Union. Moreover, EM enters into standard data protection clauses as adopted by the European Commission with all third-parties outside the EEA.
Personal data is also processed by EM support providers (Sub-processors) as indicated in Section 6 “Sub-Processors” herein above.
12. Other Disclosures
EM discloses your personal data:
- Where this is appropriate for the purposes described in Section 4 “Use of Personal data, Purposes and Legal grounds”, including within the EM group itself;
- If required, by applicable law;
- In order to comply with a judicial proceeding, court order or other legal obligation, or a regulatory or government inquiry;
- With Data Subject’s consent;
- EM has a legal obligation to report suspicious transactions and other activity to relevant regulatory authorities under AML&CTF acts or related legislation. EM also reports suspected criminal activity to the police and other law enforcement bodies;
- Third-party recipients such as: professional advisors, banking partners, law firms, tax advisors or auditors, insurers, public registries of company directors and shareholdings, regulatory bodies, providers of background checks services, service providers, support providers.
EM does not share any Personal Data for advertising or direct marketing purposes without the Data Subject’s explicit consent.
Data Subjects have the right to lodge a complaint to the respective data protection authority in their country. List of data protection authorities in the jurisdictions within which EM operates is indicated in Annex I “List of EM Entities & Data protection authorities and legislation & Data protection authorities and legislation”. Complaints may also be submitted to [email protected].
14. Reporting and Escalation
Employees must report instances of non-compliance with this Policy to the CF/DPO or their line manager who reports to Local Statutory Board. The CF/DPO will report any material issues to the Global Risk and Compliance Board. Local authorities should be informed in accordance with local rules and the Data Breach procedure. In case hierarchical reporting is not possible or appropriate, EM employees may report a (suspected) incident or a concern via the whistleblowing channel in accordance with EM Whistleblowing Policy.
15. Roles and Responsibilities
- The GR&CB – approves this Policy and oversees its implementation on EM level.
- Local Statutory Board – responsible for the proper implementation of this Policy at the local level, proper level of awareness and for ensuring that personal data privacy is adequately addressed by means of allocating appropriate resources for the day-to-day management of Personal Data.
- Employees – responsible for ensuring personal data privacy in his/her daily work and for complying with this Policy by following the rules, attending compliance training and awareness sessions.
- Compliance Function (the “CF”) – responsible for providing an oversight, guidance and monitoring with regards to the rules and requirements of this Policy in accordance with the Compliance Charter.
- Audit Function – responsible for providing an independent review of the activities performed by the 1st and 2nd lines of defense in connection with this Policy.
This Policy is a Level I Policy that provides a global de-minimis norm that will be adopted by and implemented in all entities of the EM Group. Variations in accordance with local procedures are permitted in a Level II policy in accordance with the Group Corporate Governance Policy to the extent that they process Personal Data.
Annex I: List of EM Entities & Data protection authorities and legislation & Data protection authorities and legislation
|Data Protection Board
|EMS Management Services N.V; Emoore Holding B.V.; Emoore N.V.;
|Office of the Commissioner for Personal Data Protection
|Emoore Cyprus Ltd.
|Office of the Information and Data Protection Commissioner
|Emoore Malta Ltd.; EM Services (Malta) Ltd; EM Admin (Malta) Limited
|EM Group Administration Services Netherlands BV; iGaming Compliance Netherlands B.V.;