Skip to main content Skip to navigation Skip to footer

Privacy Notice

Privacy Policy

Privacy statement

This website (www.grai.ie) is maintained by the Gambling Regulatory Authority of Ireland (GRAI)

The GRAI or Údarás Rialála Cearrbhachais na hÉireann was established on 5th March 2025 for the purposes of licensing and regulating gambling providers, and monitoring gambling activity in Ireland. Our offices are located at

Ballaugh House, 73 Mount St Lower, Dublin 2, D02 PX37.

Our primary legislation is the Gambling Regulation Act 2024 (Number 35 of 2024). We regulate all gambling activity in Ireland, excluding the National Lottery. Our activities are under the provision of our parent department, the Department of Justice, Home Affairs & Migration (DoJ).

The GRAI is committed to protecting your personal data and ensuring transparency in how we process it. All data is processed in accordance with the Data Protection Act2018 and the General Data Protection Regulation (GDPR).

 

 

What data do we collect, for what purpose and what is the lawful basis for doing so

The GRAI collects and processes personal data in accordance with Section 6, and where applicable, Article 9 and 10 of the GDPR. The lawful bases for processing of data depend on the nature of the interaction and the purpose of the processing

  • Consent: We rely on explicit consent for:

o   The use of non-essential cookies

o   Voluntary submissions via contact forms or surveys

o   Subscribing to be notified about a consultation

o   Processing of licence applications, including supporting documentation required to assess a licence application

  • We process personal data which is necessary for the performance of a contract or to take steps prior to entering a contract. This applies to:

o   Communications with applicants regarding the application status or requirements

  • We process personal data to comply with legal obligations under the Gambling Regulation Act 2024, record-keeping and reporting obligations to other regulatory bodies.

  • As a statutory regulator, we process personal data (and where applicable special category personal data) in the exercise of official authority and for tasks carried out in the public interest, such as:

o   Licensing and supervision of gambling operators

o   Enforcement actions and investigations

o   Maintenance of exclusion registers and harm prevention programs

  • We may process personal data to protect the vital interests of individuals, particularly where:

o   There is a risk of harm or exploitation

o   Safeguarding of children and vulnerable adults

Information we routinely collect from the website

We may collect the following information from each user of this site:
- Statistical information (IP address and hostname, web browser version, pages visited and so on)
- The previous website address from which you reached us, including any search terms used

We use this information to analyse the usage patterns of the website in order to improve the website’s effectiveness. We will neither make attempts to identify individual visitors, nor associate the technical details listed above with any individual.

It is our policy never to disclose such information in respect of individual website visitors to any third party unless explicitly stated (see Google Analytics section below) or obliged to disclose such information by a rule of law.

How long we keep the information

We retain personal data only as long as necessary to fulfil the purposes for which it was collected as described above and in accordance with our legal and regulatory obligations.

How we keep your information secure

Safeguarding your personal data is our responsibility. We implement robust security measures to ensure that your information is protected from unauthorised access, loss, misuse or disclosure.

Obtaining data from third parties and validating your data with third parties As part of the licencing process, the GRAI may obtain data from third-parties to validate information/data/documentation that has been forwarded by a licence applicant. This will be for the purpose of cross-referencing the information/data/documentation with a third-party, to ensure that it is true and accurate. For example, we may liaise with the  Companies Registration Office (CRO) in relation to the composition of a licence applicants company details. The licence applicant will be put on prior notification of this process and their consent obtained.

Who we share personal data with

Your data may be shared with third parties who fulfil our statutory obligations. Your data may be shared with other government bodies where it is necessary to do and where we are lawfully required to do so.

As part of the Compliance and Enforcement functions of the GRAI, we may liaise with and engage third parties to obtain data or share your data. For example, we may liaise with our regulatory counterparts in other jurisdictions for information on your previous compliance/non-compliance.

As provided for in Section 35 of the Gambling Regulation Act 2024, we may enter into information sharing agreements with the following;

(a) the Garda Síochána,

(b) Coimisiún na Meán,

(c) the Charities Regulatory Authority,

(d) the Companies Registration Office,

(e) the Competition and Consumer Protection Commission,

(f) the Corporate Enforcement Authority,

(g) the Criminal Assets Bureau, or

(h) the Revenue Commissioners

Your rights

As a data subject, you have rights under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 regarding how your personal data is processed by us. We are committed to ensuring that your rights are respected and upheld. If you have any queries, please reach out to us at dpo@grai.ie

Right to Access (GDPR Article 15)

You have a right to receive a confirmation from us whether your personal data is being processed. To deal with such requests, we can ask for proof of identity and enough personal data about you to enable us to locate the data we may process. To raise such a request, you can fill out the Subject Access request form

Right to Rectification (GDPR Article 16)

You are entitled to have relevant records/ files amended if the personal data we hold is inaccurate or incomplete. Where information is inaccurate or incomplete, you may contact us to request for the information to be rectified. Upon receipt of request, we will  ensure that the personal data is rectified and as up to date as is reasonably possible.

Right to Erasure (Right to be forgotten) (GDPR Article 17)

In limited circumstances, you will have the right (where the data is no longer needed for the purposes it was collected, where you have withdrawn consent and there is no other lawful basis on which we can continue to process it, you object to processing and there are no overriding legitimate grounds to continue, where the data has been unlawfully processed or where the data has to be erased for compliance with a legal obligation) to request that we erase the information we hold about you.

As most of our processing is conducted for us to comply with our statutory obligation and/or perform our tasks in accordance with our primary legislation, this right will not be available in most circumstances.

 

Right to Restrict processing (GDPR Article 18)

You have the right to seek to restrict processing of your data where:

  • the processing is unlawful and you request restriction instead of erasure,

  • The GRAI no longer needs the data for the purposes for which it was collected, but you need for defence of a legal claim, or

  • the accuracy of the data is contested – for a period necessary to allow us to verify its accuracy

Right to Object processing (GDPR Article 21)

You have the right to object to our processing of data, which is done on our predominant ground for processing – the exercise of our statutory/ regulatory functions. In this case, we will stop processing unless we can demonstrate compelling legitimate grounds for continuing the processing which override your interests.

How to request and Important Points

  • To exercise your rights, please contact our Data Protection Office

o   Email: dpo@grai.ie

o   Subject Line: Data Protection Request

o   Description of the information you wish to access

  • To protect your privacy, we require proof of identity, however, please don’t send original documents

  • Upon receipt of a request, we will comply with the request within the statutory timeframe provided for in the GDPR. If we require additional time to address your request, we will notify you of the delay, and the reasons for the same.

  • You are entitled to contact the Data Protection Commission if you have any complaints in relation to enforcement of your rights.

  • Some rights may be restricted due to legal obligations, regulatory enforcement, or public interest considerations

 

Further information or to make a request:

If you are concerned about how personal data is processed by us, please do not hesitate to bring such concerns to our attention. To do so, you can contact the GRAI at communications@grai.ie

This Privacy Notice will be updated from time to time. The most recent version will be available on the Gambling Regulatory Authority of Ireland’s website at www.grai.ie.