- References to “TSGG”, “TSGG Group”, we, us or our means The Social Gaming Group A.S. (and/or any subsidiaries and affiliated companies as amended from time to time) operating in Norway, the United Kingdom, Sweden, and the Netherlands; and any of our Franchisee Venues.
- references to Franchisee Venues means any venues operated by a third-party franchisee under the OCHE® and/or SHUFL® Venue brand;
- references to the Websites mean the following websites found at (as amended from time to time):
- references to OCHE® and/or SHUFL® Venue means any venue offering food and drinks prepared in accordance with our brand standards in a casual atmosphere in connection with entertainment and socialization through the game of darts under the “OCHE®” trademark or through the game of shuffleboard under the “SHUFL®” trademark.
- references to you or your means the person accessing and using the Website (as defined above), using any services offered by us and/or otherwise visiting an OCHE® and/or SHUFL® Venue;
- References to the GDPR means Regulation (EU) 2016/679 (General Data Protection Regulation).
- When we use the words “personal data”, we mean any information relating to an identified or identifiable natural person. An identifiable natural person can be identified, directly or indirectly, in particular, by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- who is responsible for the processing of the personal data that we collect about you
- how do we collect your personal data
- what categories of personal data do we collect about you
- why do we process your personal data, and how will we use it
- how long will we keep your personal data
- to whom we may disclose your personal data
- will we transfer your personal data outside the European Economic Area?
- how do we ensure your personal data is secure and
- what are your rights with regard to your personal data?.
This is to make sure you have a full picture of how we process your personal data. Our Websites are designed and intended for use by adults and are not intended for children. We do not knowingly collect personal data relating to children.
Who is responsible for the processing of personal data that we collect about you?
For the purpose of data protection law, TSGG is the data controller in respect of any personal data collected and used by TSGG through your use of the Website, your use of our services and/or your visit at an OCHE® and/or SHUFL® Venue. This is because we dictate the purpose for which your personal data is used and how we use your personal data.
How do we collect your personal data?
We may collect your personal data either directly from you or indirectly from third parties.
Collected directly from you
We collect and process your personal data directly from you, for example, when you:
- complete the contact booking form on the website or with a physical presence in our venues;
- sign up for a marketing newsletter/promotional communications;
- complete a survey;
- register for an account / guest gaming profile;
- when you have a picture or video taken with the front facing camera feature;
- use of our website or app services and features;
- submit a request to our “How to contact us” team (see below);
- interact with TSGG social media pages;
- perform any contract to fulfil your orders for food and drink;
- pay for orders to our company;
- create a user profile to use the TSGG gaming services; or
- participate in any promotions, membership or loyalty programs for TSGG.
In so doing, we may ask for personal data, such as your name, date of birth, address, email address, telephone number or credit card details.
We may also collect “special categories of personal data” about you with your explicit consent. For more information on the special categories of data we collect and how we use it, please refer to the relevant section below.
We also receive and store certain types of personal data whenever you interact with us online. For example, when you:
- Install and use TSGG mobile apps.
- Enable location-based features on our websites.
- Request free access to Wi-Fi in our venues.
Examples of the types of personal data we collect include; IP address, device ID, location data, computer and connection information such as browser type and version, time zone setting, browser plug-in types and versions, and operating system. During some of your internet browsing on TSGG websites we may also use software tools to measure and collect session information, including page response times, download errors, length of visits to certain pages, page interaction information, and methods used to browse away from the page. We may also collect technical information to help us identify your device for fraud prevention and diagnostic purposes.
Collected from third parties
We may collect personal data from other sources. For example, this may include receiving personal data from:
- Our trusted partnerships with third parties, including analytics vendors etc.
- where we operate TSGG accounts on third-party platforms, for example, Facebook, Instagram, Twitter, LinkedIn and Snapchat. The information we receive from these social media sites is dependent upon the social media site’s policies and your settings on that site.
- from a third party when we jointly offer services or products
Combining personal data
We may also combine personal data. For example, we may:
- Combine personal data that we collect offline with personal data we collect through our websites.
- Combine personal data we collect about you from the different devices you use to access our websites.
- Combine personal data we get from third parties with personal data we already have about you.
What categories of personal data do we collect about you?
Special categories of personal data
We may also collect certain sensitive personal data about you from you (including any special categories of personal data). Due to the nature of the special categories of personal data, we consider the processing of special categories of data as high-risk personal data processing activities and will apply the highest levels of technological and organizational measures to keep this data secure. We limit the circumstances where we collect and process these special categories of data.
For example, the special categories of personal data we hold about you may include information concerning your health, such as food allergies or intolerances which you provide to us. Where we do so, we will rely on your explicit consent, or we will notify you if we can rely on a different legal basis for processing this type of data.
Personal data relating to third parties
When you are using the Website, using any services offered by us and when you visit an OCHE® and/or SHUFL® Venue, you may provide us with personal data relating to third parties. For example, where you make a reservation at an OCHE® and/or SHUFL® Venue and wish to provide personal data of any third parties in connection to your reservation.
We process any personal data or special category of personal data of such third parties in accordance with applicable local law.
Why do we process your personal data, and how will we use it?
Purposes of processing personal data
Principles of processing personal data
Legal basis for processing personal data
- it is necessary to enter into or perform a contract we have with you (or to take steps at your request prior to entering into that contract); for example, we will process your personal data to fulfil your orders for food and drink and the process payment for those orders;
- it is necessary in order to protect your vital interests; for example, in order to protect someone’s life in case of a medical emergency at an OCHE® and/or SHUFL® Venue;
- it is in our legitimate interests to process your personal data; for example, to manage any complaints, feedback and queries and provide customer support;
- the processing is necessary to comply with a legal duty; for example, compliance with tax provisions and court orders; or
- we have your consent; for example, to engage with you via social media.
When we process your special category personal data, we will rely on either of the following legal bases:
- your explicit consent; or
- one or more of the other legal bases set out in the Appendix 2
How long will we keep your personal data?
In principle, we will retain your personal data for no longer than is necessary for the purposes for which the personal data are processed. The length of time we hold on to your personal data will vary according to what that information is and the reason for which it is being processed.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means. We also consider any applicable legal, regulatory, tax, accounting or other requirements which may specify how long we should retain your personal data for.
When personal data is no longer required to be stored, we take appropriate steps to securely delete, anonymize or transfer the data to an archive (where this is allowed under applicable laws).
For further information on our policy and how long we will keep your information for, please reach out to the Legal Department
To whom may we disclose your personal data?
We may also disclose your personal data to other third parties, for example:
- in the event that we sell or buy any business or assets we will disclose your personal data to the prospective seller or buyer of such business or assets.
- if we or substantially all of our assets are acquired by a third party (or are subject to a reorganisation within our corporate group), personal data held by us will be one of the transferred assets; and
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or we are involved in any litigation with you.
Will we transfer your personal data outside the eea?
We will process your personal data both within and outside the EEA and the UK. As TSGG begins to expand globally, we may need to transfer data internationally within the TSGG group companies.
When we transfer personal data outside the EEA and the UK, we will implement appropriate and suitable safeguards to ensure that such personal data will be protected with a similar level of protection as required by applicable data protection law in its country of origin, for example we will seek to anonymise it. If we can't anonymise your personal data, we will take reasonable steps to ensure that your personal data is always protected. For this purpose, we shall implement the following safeguards:
- Transfer to a non-EEA country whose privacy legislation ensures an adequate level of protection of personal data as the EEA; for this purpose, TSGG relies on the list of countries recognized by the European Commission to provide an adequate level of protection of personal data;
- Undertake a transfer impact assessment to analyse the impact and security implications of a transfer to a country outside the EEA that does not benefit from an adequacy finding by the European Commission;
- Put in place a contract with the third-party to ensure the third party must protect personal data to the same standards as the EEA;
- Transfer personal data to organisations that are part of specific agreements on cross -border data transfers with the EEA; or
- Transfer personal data to organisations that have adopted other appropriate safeguards, such as e.g., binding corporate rules, an approved code of conduct or an approved certification mechanism. For this purpose, we may use a set of standard data protection clauses which have been approved by the European Commission in accordance with Article 46 of the GDPR.
For further information as to the safeguards we implement and to obtain a copy, please contact the Legal Department at [email protected]
How do we ensure your personal data is secure?
We have put in place appropriate security measures to seek to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instruction and they are subject to a duty of confidentiality. Details of these measures may be obtained from the Legal Department at [email protected].
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
What are your rights with regard to your personal data?
What are your rights?
When we process your personal data, you, as a data subject, have certain rights with respect to the data we process. The rights below are those that apply under the EU General Data Protection Regulation and so will predominantly apply to individuals located in the EEA or the United Kingdom.
As a data subject, you have the following rights:
- right to information on your personal data;
- right to access your personal data;
- right to rectification of your personal data;
- right to the erasure of your personal data;
- right to restrict processing of your personal data;
- right to data portability;
- right to object to the use of your personal data (including to object to direct marketing);
- right to object to a decision based solely on automated processing of personal data (including profiling)
- right to withdraw your consent; and
- right to lodge a complaint to the relevant data protection authority.
How can you exercise these rights?
In relation to the right to lodge a complaint to the relevant data protection authority, if you think there is a problem with how your personal data is being handled, please contact us by using the details set out in the ‘How to contact us’ section below. You also have a right to complain to the data protection authority as mentioned above. You can refer to this list of the data protection authorities in the EEA. However, there may be other data protection authorities that may be relevant to you. Please get in touch using the ‘How to contact us’ section below if you require further information.
How to contact us
Name: The Social Gaming Group AS
Postal address: Rådhusgata 30B, 0151 Oslo, Norway
Email address: [email protected] (Legal Department, TSGG)
Appendix 1: Categories of personal data
Contact information: Name, title, address, email address and telephone number.
Telephone recordings: Recordings of telephone calls with our representatives and call centres.
Register to use our online services: Username and account number for access to our website.
Details of complaints and compliments you make: Name, address, e-mail address or telephone number, details about the service you received/your experience.
Financial information and account details: Details regarding products purchased, price, payment method and other financial account details.
CCTV footage: Videos and images captured on CCTV if you visit an OCHE® and/or SHUFL® Venue.
Order data: Information regarding the online order(s) that you place with us through our website (e.g., products that you order, date of order, delivery address, payment information).
Photographs: Images that you share with us via social media or images of you taken during your use of our gaming services at an OCHE® and/or SHUFL® Venue or via app services.
Video: Images or video footage of you taken during your use of our gaming services at an OCHE® and/or SHUFL® Venue or via app services.
Customer satisfaction/feedback surveys: Your views and opinions about your visit to an OCHE® and/or SHUFL® Venue and your dining experience, as well as your views about the Website.
Technical Information: Technical Information from any device you use in our venues.
Appendix 2: Purposes & legal basis for processing personal data
- Purpose: To communicate with you and other individuals.
- Legal Basis: Legitimate interests. We require your personal data in order to enable us to manage and carry out our operations as a business. Necessary to enter into or perform a contract we have with you.
- Purpose: To manage complaints, feedback and queries and provide customer support.
- Legal basis: Legitimate interests. We require your personal data in order to enable us to manage and carry out our operations as a business.
- Purpose: To improve the quality of the Website and your dining experience.
- Legal basis: Legitimate interests. We require your personal data to enhance, modify and personalise the Website and your dining experience for your benefit.
- Purpose: To perform any contract entered into with you to fulfil your orders for food and drink and the process payment for those orders.
- Legal basis: Legitimate interests. We require your personal data in order to enable us to manage and carry out our operations as a business. Necessary to enter into or perform a contract we have with you.
- Purpose: To comply with any legal or regulatory obligations (including in connection with a court order).
- Legal basis: Necessary for compliance with a legal obligation to which we are subject.
- Purpose: To engage with you via social media.
- Legal basis: Legitimate interests. We require your personal data in order to enable us to manage and carry out our operations as a business.
- Purpose: To create a user account when using gaming services
- Legal basis: Consent. We ask for your consent to take your photograph when you create a new user account when using our gaming services.
- Purpose: To manage user accounts and memberships to gaming services (including any customer loyalty programs).
- Legal basis: Legitimate interests. We require your personal data in order to enable us to manage your user account and membership in order to carry out our operations as a business.
- Purpose: To provide a unique gaming experience.
- Legal basis: Consent. We ask for your consent to take photos and/or videos of your gaming experience that can be viewed and downloaded and/or or shared by you on your social media platforms, as well as shown on any television screens in the OCHE® and/or SHUFL® Venue where you are using the gaming services. Legitimate interest. When the gaming guest(s) consent to taking photos and/or videos of their gaming experience, it may happen that guests near the gaming booth are recorded as well. If this is not desired, these guests can speak to a member of the staff, so that appropriate steps can be taken (e.g., where possible, change seating position).
- Purpose: To analyse and improve our products to evaluate and develop our business.
- Legal basis: Legitimate interests. We require your personal data in order to enable us to manage and carry out our operations as a business.
- Purpose: To protect against fraud or other criminal activity, as well as dealing with Government authorities/law enforcement agencies.
- Legal basis: Necessary for compliance with a legal obligation to which we are subject. Legitimate interests. We require your personal data in order to enable us to manage and carry out our operations as a business.
- Purpose: To ensure security and safety of the Venues.
- Legal basis: Legitimate interests. We require your personal data in order to enable us to manage and secure the OCHE® and/or SHUFL® Venues for safety and security purposes. Necessary for compliance with a legal obligation to which we are subject.
- Purpose: To provide you with access to free Wi-Fi in our stores.
- Legal basis: Legitimate Interests. We require your personal data in order to enable us to provide you with a convenient and pleasurable experience in our stores and to enable us to manage and carry out our operations as a business.
- Purpose: To communicate with any third party individuals, such as your next of kin, or individuals who are doctors or members of the medical profession in an emergency situation.
- Legal basis: Vital interests. We may process your personal data in order to enable us to protect your vital interests.
Appendix 3: Principles relating to the processing of personal data
TSGG abides by the principles identified in the table below when processing personal data:
Lawfulness, fairness and transparency
We will only process personal data that is adequate, relevant and is limited to what is necessary. This also includes restricting access to personal data to only those functions/groups of functions that need this personal data to carry out their work.
We take appropriate measures to ensure that the personal data that we process about you is accurate and up to date. For this purpose, we provide you with the ability to correct, amend, or delete inaccurate personal data where this is applicable, in accordance with relevant laws.
In some instances, you can make these changes yourself otherwise, please contact HR for more information on how you can correct, amend or delete your inaccurate data.
In principle we do not hold your personal data for longer than is required for the original purpose it was collected, unless those purposes are compatible with the original purpose, or we are under a legal obligation to retain it for longer. The purpose of retention could be a legal obligation, such as tax law or another legitimate reason, for example to prove our rights and obligations.
When personal data is no longer required to be stored, we take appropriate steps to securely delete, anonymize or transfer the data to an archive (where this is allowed under applicable laws)
Integrity and confidentiality
The right security controls are in place to protect against unauthorized and unlawful processing and against accidental loss or destruction of, or damage to, personal data.
This includes both technical controls (e.g., pseudonymization/encryption, role-based access control) and organizational controls (e.g., training and awareness).
Appendix 4: Recipients of personal data
We may share your personal data with the following:
Our group companies
Other companies and entities that are part of the TSGG Group.
Our authorized third-party agents, service providers and/or subcontractors of TSGG
Our business partners, suppliers and sub-contractors for the performance of any contract we enter into with you, for example:
- our IT systems providers, including but not limited to Ayden, Tevalis, Limited, Cloud Direct, EGGS, Sevenroom Inc, Order X, Agilis, Linkmobility, Bambora AB;
- Food Alert Limited in relation to food safety services.
- Instagram, Facebook, LinkedIn, Youtube, Snapchat.
- SevenRooms, in relation to customer management and experience (e.g. Reservations, virtual waitlist, events widget, table management, POS integration, SMS); and
- Adyen N.V. in relation to POS consulting services
A current list of these third-party service providers with whom we share your personal data can be provided to you on application to the Legal Department at [email protected].
Our professional external advisors
Including accountants, lawyers and other professional advisers that assist us in carrying out our business activities, a current list of these third parties can be provided to you on application to the Legal Department at [email protected]
These are individuals or organisations who enter into an agreement with us to operate an OCHE® and/or SHUFL® Venue under the TSGG brand in various jurisdictions all over the world. Your personal data will not be shared with all of our franchisees but only those that are relevant to you.
Social media-related parties
We have different social media-related parties for each area of the world in which we operate – your personal data may be shared with the social media-related parties in our area, but not all. A list of our current social media-related parties and the countries in which they operate is set out below:
- SendinBlue, EEA
- SevenRooms, EEA
- Airship, UK and Singapore
Appendix 5: Data subject rights
Right to information
We may require further information in order to respond to your request (for instance, evidence of your identity and information to enable us to locate the specific personal data you require).
Right to access
You have, at any time, the right to request access to the personal data we process about you. When you exercise this right, we must provide a copy of the personal data to which you have requested access.
We may require further information to respond to your request (for instance, evidence of your identity and information to enable us to locate the specific personal data you require).
Right to rectification
You have the right to ask us to rectify any errors and correct your personal data, that we hold where it is inaccurate or incomplete. We take reasonable steps to ensure that personal data which is inaccurate is rectified without delay.
Right to erasure
You have the right to request us to erase your personal data in certain circumstances. This right only applies under certain circumstances and is not absolute. For example:
- where your personal data is no longer necessary in relation to the purposes for which they were collected or otherwise used;
- if you withdraw your consent and there is no other legal ground for which we rely on for the continued use of your personal data;
- if you object to the use of your personal data (as set out below);
- if we have used your personal data unlawfully; or
- if your personal data needs to be erased to comply with a legal obligation.
Right to restriction
In certain circumstances, you may not be entitled to require the deletion of your personal data. Still, you may have the right to suspend our use of your personal data . In this instance, all processing, except storing, of that personal data must stop whilst the restriction is in place. This right only applies under certain circumstances and is not absolute. For example:
- where you think your personal data is inaccurate and only for such period to enable us to verify the accuracy of your personal data;
- the use of your personal data is unlawful, and you oppose the erasure of your personal data and request that it is suspended instead;
- we no longer need your personal data, but your personal data is required by you for the establishment, exercise or defence of legal claims; or
- you have objected to the use of your personal data, and we are verifying whether our grounds for the use of your personal data override your objection.
Right to data portability
You have the right to obtain your personal data in a structured, commonly used and machine-readable format and for it to be transferred to another party, where it is technically feasible. The right is not absolute as it only applies to:
- personal data which you have provided to us;
- where the use of your personal data is based on your consent or is necessary for the performance of a contract; and
- when the use of your personal data is carried out by automated (i.e. electronic) means.
Right to object to the use of your personal data (including to object to direct marketing)
You have the right to object to the use of your personal data in certain circumstances and subject to certain exemptions. Examples of this right include:
- where you have grounds relating to your particular situation, and we use your personal data for our legitimate interests (or those of a third party);
- when the data is processed for the purposes of scientific/historical research and statistics.
- if you object to the use of your personal data for direct marketing purposes.
Right to object to a decision based solely on automated processing (including profiling)
You have the right not to be evaluated solely on the basis of automated processing, including profiling (e.g., automated profiling in connection with offers of employment, credit access, and insurance). This means we will not use (without any human involvement) your personal data (e.g., automated processing of personal data to evaluate certain aspects about you) in a way that produces legal effects concerning you or similarly significantly affects you unless it is:
- necessary for entering into, or for the performance of, a contract between TSGG and you; or
- authorized by law (e.g., for the purposes of fraud or tax evasion); or
- if you provide your explicit consent.
Right to withdraw consent.
You always have the right to withdraw your consent at any time when we rely on consent to use your personal data.
Right to lodge a complaint to the relevant data protection authority.
You have the right to complain directly to the relevant Data Protection Authority if you think we have not processed your personal data in accordance with data protection law, but please do check if our Data Protection Officer can help you first.
In the case of which data protection authority you may complain to, this will depend on factors such as which OCHE and/or SHUFL Venue you visited and the country in which it is located or where the infringement occurred.