top of page

Privacy Policy

Your trust is important to us!


Ålands Penningautomatförening (“We”, “Us” or “Our”) are committed to protecting and respecting your privacy. This privacy policy, together with Our Terms and Conditions for Affiliates (the “Agreement”), outlines what  personal data We collect, why We collect your personal data and how We process your personal data. 


We comply with applicable data protection laws, including the General Data Protection Regulation ((EU) 2016/679. We are also ISO 27001 certified.


We are responsible for collecting and processing your personal data and We have appointed a data protection officer. They are available to you as a contact for matters related to data protection.



Ålands Penningautomatförening

Lövdalsvägen 8

PB 241

AX-22101 Mariehamn

Åland, Finland



Data Protection Officer

Lövdalsvägen 8

PB 241

AX-22101 Mariehamn

Åland, Finland





We reserve the right to make changes and corrections to this privacy policy from time to time with or without notice. Any substantial changes to this privacy policy will be communicated to you, either by a newsletter or on Our website, We recommend that you keep a copy of this privacy policy and re-visit it frequently in order to be updated of any changes. Please observe that the latest version published on applies. The date of the most recent changes implemented can be found at the top of this privacy policy.




We collect and process your personal data for the following purposes:


  • performance of the Agreement and fulfilment of the obligations contained therein - processing is necessary to conclude and to fulfil Our obligations laid down in the Agreement, 

  • performance of legal obligations - processing is necessary to fulfil one or more legal obligations pertaining on Us,

  • to pursue various legitimate interests, such as security, preventing and investigating any offence(s) against Us, public relations and customer relations management, and/or defence of legal or other claims. 


  • 2.1 Processing for other purposes


In principle, personal data is only processed for the purposes for which it was collected. However, personal data may also be processed for other purposes if they are compatible with the original purposes or if doing so is necessary for legal reasons. 




Your data will be stored for the duration of the Agreement and following the termination of the Agreement, your data will be stored in accordance with the requirements laid down by the applicable laws and in order to establish, defend and/or exercise legal claims.




As a licensed gambling operator, We are particularly subject to applicable laws and regulations concerning gambling and thereto related services in those jurisdictions We have a gambling license(s), which require Us to collect and process your personal data. In addition, We also process your personal data for legitimate interests and the necessity for the performance of the Agreement.




We process your personal data in the strictest confidence and only disclose your personal data to third parties in accordance with this privacy policy and to persons authorised to process personal data, who have undertaken to observe confidentiality or are subject to appropriate statutory confidentiality. 


Notwithstanding the aforesaid, We may disclose your personal data in cases where We are required to do so by law, regulation or as a result of a request from an authority (police, tax office or other authorities) to disclose personal data. We may also disclose your personal data in cases where We suspect that a crime has been committed.


  • 5.1 Third parties


Your personal data may, for the purposes described above, be transferred or disclosed to, subject to appropriate agreements, carefully chosen third parties for example for the subsequent purposes:


  • Business partners, suppliers and sub-contractors for the performance of the Agreement We enter into with you, such as process payments, and manage the business relationship with you.


  • 5.2 Within the Group


For the purposes described in this privacy policy, personal data may be transferred within the Paf Group. Disclosure of personal data within the Group of companies primarily serves to manage personal data and process various matters in connection with the Agreement.


  • 5.3 Transfer of personal data


We always strive to process personal data within the European Union (EU) and the European Economic Area (EEA) as far as possible. In cases where it is necessary to transfer personal data outside of the EU/EEA, e.g. for the purpose of disclosing personal data to a data processor who, either themselves or through one of their subcontractors, stores personal data in a country outside of the EU/EEA or has its subsidiaries in a country outside of the EU/EEA, We take the necessary and adequate legal, technical and organisational measures to ensure that the level of protection corresponds to that of EU. When personal data is transferred to a country outside of EU/EEA, the level of protection is determined either by the list of countries maintained by the European Commission, and containing countries with adequate data protection legislation, or by the fact that the company is linked to EU via the ‘US Privacy Shield Framework’. Other suitable safeguards are approved codes of conduct in the recipient country and the application of internal, binding company guidelines, and the use of standard contractual clauses.



  • 6.1 Right of access


You are entitled to access your personal data that We process, provided that a) such personal data does not jeopardise the rights and freedoms of third parties, b) access to personal data is not prohibited by legal provisions such as the prevention of money laundering and terrorist financing Act, and c) the information does not jeopardise the outcome of a criminal or other investigation. 


In cases where We receive a request for access, it must be noted that We may request further information about you in order to guarantee effective processing of the request and disclosure of the data to the correct person.


  • 6.2 Right to rectification


You are entitled to have incorrect personal data that concerns you rectified, as well as within the stated purpose to supplement incomplete personal data.


  • 6.3 Right to be forgotten


You have the right to request that We erase or remove all or part of your personal data, e.g. if the personal data is no longer required for the purposes for which it was collected or was processed in another way.


It must be noted that We can reject the request to erase or anonymise the personal data if processing is carried out based on legal obligations applicable to Us. We may also reject the request for erasure and anonymisation of the personal data if it has a legitimate interest in processing or if We require such personal data to establish, assert or defend legal claims.


  • 6.4 Right to restriction of processing


You are entitled to some extent to request that Our processing of your personal data be restricted, for example: (i) if you contest the accuracy of your personal data, for a period enabling Us to verify the accuracy of the personal data; or (ii) the processing is unlawful and you oppose the erasure of the personal data.


Please note that We are entitled to store your personal data during the restriction of processing of your personal data and process such personal data in order to determine, enforce or defend legal claims or to protect any other natural or legal person’s rights. We may also process such personal data in cases where you have given your consent, or for reasons relating to an important public interest.


  • 6.5 Right to object


You have the right to object to certain types of processing provided that We have no legitimate interest in this regard.


  • 6.6 Right to data portability


Where We process your personal data on either your consent or performance of the Agreement between you and Us, and that your personal data is provided by you and the processing is automated, you are entitled to request that your personal data shall be transferred to another controller.  


  • 6.7 Withdrawal of consent

In cases where We base Our processing of your personal data on your consent, you can withdraw your consent at any time, at no cost. You can withdraw your consent by contacting Our Affiliate Manager.  


Note that the withdrawal of consent does not affect the legality of the processing that takes place before the consent is withdrawn. 


  • 6.8 Right to lodge a complaint


If you consider that the processing of your personal data does not comply with applicable data protection laws, you may submit a complaint to the Office of the Data Protection Ombudsman of Finland or any other applicable supervisory authority.




Your privacy and the protection of your Personal Data are key considerations for Us. In addition to Our comprehensive technical and physical security measures, We have several policies and guidelines in place to make sure that your Personal Data are treated in a secure manner. Furthermore, We are ISO 27001 certified.

bottom of page