About Us

1. About us

Resorts World Birmingham is owned and operated by Genting Solihull Limited, a company incorporated and registered in England and Wales with company number 06601106 and with its registered office at Genting Club Star City, Watson Road, Birmingham, B7 5SA (GSL).

GSL is registered with the UK Information Commissioner’s Office (ICO).

GSL acts as data controller of personal data collected and processed through our operations at RWB. This means that we are responsible for processing and safeguarding your personal data in accordance with this privacy notice and all applicable data protection laws whenever you interact with the following RWB brands or make use of their goods and services (RWB Brands):

• Resorts World Birmingham – our entertainment, retail and leisure complex located in Solihull, including our online account services.
• Genting Hotel – our hotel located within RWB.
• Santai Spa – spa, treatment and gym facilities.

RWB hospitality venues:

• Sky Bar and Restaurant
• The World Bar
• Sports Bar (located within Resorts World Casino)
• Apartment

Other RWB facilities and services:

• Guest Services
• Car parks

Third-party RWB Tenants

Third-party retail outlets, entertainment, leisure and hospitality venues operating out of RWB are not under the control of GSL and their respective data processing activities are outside the scope of this privacy notice. You should consult the separate privacy notices of those third-party tenants if you require information on how they process your personal data. For details of our current tenants, please visit the RWB website.

Similarly, any third-party website links integrated with the RWB website or to which the RWB website may be linked (including any social media platforms) are also outside of our control and are not covered by this privacy notice. Your access to these websites is subject to the relevant third party’s terms and conditions and their own privacy and cookies policies.

Resorts World Casino

Genting Casinos UK Limited, a company incorporated and registered in England and Wales with company number 01519689 and with its registered office at Genting Club Star City, Watson Road, Birmingham, B7 5SA acts as the principal data controller in relation to your personal data collected through your visits to Resorts World Casino located within RWB.

Genting Casinos UK Limited is a licenced land-based casino operator regulated in Great Britain by the Gambling Commission under account number 537. If you require further information on how Genting Casinos UK Limited processes personal data for its land-based casino business, including in relation to Resorts World Casino, you can obtain copy of its privacy notice on its website (www.gentingcasinos.co.uk), in any Genting Casino or from the Data Protection Officer via DPO@gentinguk.com.

Our Data Protection Officer

2. Our Data Protection Officer

If you have any questions about this privacy notice, your data protection rights or our data protection practices more generally, you can contact our Data Protection Officer (DPO) on DPO@gentinguk.com. Our DPO works across each of Genting Solihull Limited, Genting UK plc and Genting Casinos UK Limited and will be able to assist with your queries.

What is personal data?

3. What is personal data?

References to personal data in this privacy notice are references any information relating to an identified or identifiable natural person. Common examples include name, date of birth, address and contact details.

How we collect personal data

4. How we collect personal data

From you

Most of the personal data that we collect is gathered from our direct interactions with you when you make use of RWB Brands and services – e.g. when you visit our websites, register for an online account, subscribe to receive direct marketing from us, book a room at the Genting Hotel or make a reservation for one of our restaurants.

You generally have a choice as to whether you provide us with your personal data, but we may be unable to offer you certain services if we do not have the necessary information to do so. You can find details of the data we usually collect from you in the Summary of Data Processing Activities.

From third parties

We may also collect personal data about you from third parties. This is generally in limited circumstances but includes where we make use of publicly or commercially available information sources and databases and where we engage third party service providers from time to time. For example, we may make use of aggregated information supplied by market research agencies.

The amount of personal data that we collect, process and retain is limited as far as possible to what is strictly necessary for the purposes of processing.

How we use personal data

5. How we use personal data

We use your personal data for different reasons. Our key data processing activities are set out in the Summary of Data Processing Activities. In some cases, we will also provide you with additional specific information about our use of your personal data at the time it is collected from you. For example, if you choose to complete an online customer survey, we will remind you at that point of how we might use your survey responses. These are called “just in time” notices and should be read alongside this main privacy notice.

Categories of personal data

6. Categories of personal data

You can find details of the general categories of personal data processed by us as part of our day-to-day activities in the Summary of Data Processing Activities.

In addition to general personal data, we also process the following categories of more sensitive personal data:

• Special Category Personal Data

Special Category personal data consists of data about your race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life or sexual orientation. Due to its sensitive nature, Special Category personal data needs additional protection under the data protection laws.

Our processing of Special Category personal data will generally be very rare. Examples are when you use our Santai Spa services and complete a medical questionnaire or where you become ill or have an accident on our premises and disclose any health conditions to us.

Where required, we will ensure that we have asked for and received your explicit consent to process your Special Category personal data at the time that we collect it (or as soon as is possible if it is passed to us from a third party). As far as possible, will explain to you why we collect this data and how long it will be retained for at the time it is collected – please look out for this information in any forms or documents we present to you at the time.

We will never use any Special Category personal data that we hold about you for marketing profiling purposes unless we have your explicit consent to do so.

• Criminal Offences Data

We may also process criminal offences data in limited circumstances. This is typically where an incident of a criminal or potentially criminal nature has occurred on our premises (e.g. shoplifting or criminal damage) and details of the incident are passed to the police. We may incidentally capture events of a criminal nature as part of our routine CCTV monitoring.

We also have a data sharing agreement in place with the West Midlands Police to support these purposes and to help ensure that RWB is a safe environment for Guests and visitors.

• Childrens’ Data

We process children’s personal data as part of some our services – the clearest examples are when a child participates in RWB competitions, prize draws and events. We may also process childrens’ data in the event of an accident or incident on our premises involving a child (e.g. if your child has an accident at RWB, we will need to document this in our accident reporting records). Childrens’ personal data is only used for very limited purposes and never for direct marketing.

• Payment Card Data

Where you pay for RWB operated services using a debit or credit card, any data collection by us will be processed in accordance with PCI-DSS standards. We undertake regular auditing of our operations to ensure these remain compliant to current PCI standards. Please note that third party payment services providers may also use payment card data to complete your transaction but we require these third parties to be compliant to PCI-DSS standards.

Our lawful bases for processing

7. Our lawful bases for processing

We have identified several lawful bases under the data protection laws to support our processing of your personal data. More than one lawful basis may apply, and we may use several to support our processing in each case.

The lawful bases are explained here in more detail with some real-life examples of how you can expect us to us your data in each case. The list is not exhaustive, but you can contact our Data Protection Officer if you have specific questions. We have also highlighted any specific rights that you may have.

How we share your personal data

8. How we share your personal data

In order to operate our business and to deliver our services to you, we may share some of your personal data with third parties, some of which process your data on our behalf as our data processors. Data sharing with third parties is limited to what is strictly necessary to achieve the relevant purpose.

Here are some examples of who we share personal data with as part of our day-to-day operations. This list is not exhaustive but is provided to give typical and real-life examples of how we share your personal data - we may also use your data for other reasons, provided they are compatible with the general purposes outlined here.

You can find out more about our third-party recipients of your personal data by contacting the Data Protection Officer on DPO@gentinguk.com.

Analytics, direct marketing and service messages

9. Analytics, direct marketing and service messages

Direct marketing and analytics

We collect and process personal data for marketing and analytics to gather market insights, to design and build marketing campaigns and to promote and monitor the use of our products, services and loyalty/rewards schemes. This is broadly known as ‘profiling and segmentation’ and helps us to limit the amount of direct marketing that you receive from us and to ensure we only contact you about specific offers and promotions that we believe you may be interested in. We may use information such as your visit and purchasing history, product preferences, and geographical location for this exercise.

We may also engage third party service providers to carry out similar activities on our behalf. Our third-party service providers are not permitted to use your details for their own direct marketing activities or to sell or pass your data on to any other third parties. Our arrangements with our service providers are subject to contractual terms to protect the safeguarding and integrity of your data in accordance with the relevant data protection laws.

Where you have consented to receive direct marketing from us and / or have not opted-out, we will contact you in line with your marketing preferences with offers, news, promotions and details of other Genting UK / RWB brands products and services we think you might be interested in. We currently communicate with customers via email and SMS for booking reminders at Sky Bar and Restaurant.

We also use cookies and similar technologies (such as tracking ‘gifs’, ‘pixels’ and ‘beacons’) within our direct marketing communications to help us measure the take-up and effectiveness of our marketing campaigns.

Soft opt-in

We may also send you marketing messages about similar products or services without your express consent if you have previously used our services or made a purchase from us – this is known as the “soft opt-in rule” under the data protection laws.

For example, where you have registered for an online account with us, have visited the Genting Hotel, Santai Spa, made a reservation for one of our hospitality venues or used any of our other services, we may contact you afterwards about similar goods and services

While “soft opt-in” does not require your express consent, you can opt-out at any time by following the steps explained below.

You can change your marketing preferences or opt-out at any time

YOUR RIGHTS: We will only ever contact you in line with your marketing preferences - you can change your marketing preferences at any time by accessing our Preference Centre / logging into your RWB account, or by following the ‘unsubscribe’ or text ‘STOP’ link within our marketing communications.

For both consent-based and “soft opt-in” marketing, we will always give you the opportunity to opt-out of direct marketing at the time we initially collect your personal data from you, and within each marketing message. You can also opt-out at any time by contacting DPO@gentinguk.com or by asking at Guest Services.

Please note, if you opt-out of marketing, we will still retain and process your data to make sure you do not receive marketing communications from us in the future, but we won’t use it for any other marketing purposes.

How long will I receive direct marketing for?

If you usually receive direct marketing from us but have not interacted with us for an unbroken period of 36 months, you will no longer receive marketing emails from us even if you haven’t chosen to unsubscribe.

This is because we will assume that you no longer want to hear from us if you have not interacted with us for that length of time. At this point, we will securely retain your personal data in line with our Data Retention Policy, but it will not be used for marketing purposes, nor for marketing analytics, profiling or segmentation.

Examples of you ‘interacting’ with us are logging into your online account, visiting RWB Brands, booking a stay at the Genting Hotel, clicking through a link in our marketing communications, logging into our marketing Preference Centre or updating your details via your online RWB account.

Service emails

Even if you have opted-out of direct marketing, you may occasionally receive non-marketing service messages from us to let you know about important matters that might affect you.

These messages are administrative in nature and will typically include things like notifying you of upcoming changes to our terms and conditions, important health and safety notifications and any material updates to this privacy notice – these messages do not contain promotional or marketing material, so we do not need your consent to send them to you.

Cookies and Similar Technologies

10. Cookies and Similar Technologies

If you visit our websites, download our mobile Apps or receive direct marketing from us, we may collect data about you from our use of cookies and similar technologies. This data does not always identify you personally but helps us to understand more about how visitors use our website, what features are working well, how our marketing campaigns are performing and where improvements might be made. We also use cookies and similar technologies (such as tracking ‘gifs’, ‘pixels’ and ‘beacons’) within our direct marketing communications to help us measure the take-up and effectiveness of our marketing campaigns.

You can find out more information about the cookies and similar technologies we use and your rights in relation to them in our Cookies Policy available on our websites.

You will also be able to select your cookie preferences via the cookie consent preference tools on our websites.

Data transfers outside of the UK

11. Data transfers outside of the UK

In most cases, your personal data will be processed by us and or our third-party data processors in the UK. However, it may be necessary for us to transfer data outside of the UK from time to time if we work with service providers who are located overseas. Where this is the case, we will only transfer your personal data outside of the UK where there is a similar degree of protection afforded to it. We will aim to ensure this by implementing one of the following measures:

• by only transferring your personal data to countries that are deemed to provide an adequate level of protection for personal data, for example, within the European Economic Area, or to other countries where UK Adequacy Regulations have been made; or
• in all other cases, by using contractual clauses approved for use in the UK which aim to give personal data the same protection it has in the UK (these are the International Data Transfer Agreement (IDTA) and approved Standard Contractual Clauses).

Confidentiality and Data Security

12. Confidentiality and Data Security

We have appropriate technical and organisational measures in place across our business to help safeguard your personal data, including from data breaches and cyber-attacks. In addition, we limit access to your data to our employees and third-party processors who have a legitimate need to know about or receive your data. They will only process your personal data on our instructions and subject to appropriate obligations of confidentiality and security.

We have procedures in place to deal with any known or suspected personal data breaches and will notify you and / or the ICO or any other applicable regulator of a breach where we are legally required to do so. We undertake regular auditing of our safeguarding measures and are accredited to ISO 27001 and PCI-DSS standards.

You can find out more about the measures we take to safeguard your personal data by contacting DPO@gentinguk.com.

Where we share personal data with social media platforms, law enforcement agencies and regulatory authorities, these third parties act as independent data controllers of your personal data. This means we have no control or oversight over how they use your data for their own purposes and you should consult their separate privacy notices for more information on how your data might be used.

How long will we keep your personal data for?

13. How long will we keep your personal data for?

We will only retain your personal data for as long as necessary to fulfil the purposes outlined in this privacy notice. We maintain a Data Retention Policy for this purpose.

Some of our data retention periods are based on set legal requirements, while others are carefully decided by us taking into account our need to retain data vs your rights, the purposes for which the data is processed and whether under data minimisation principles we can achieve those purposes without keeping hold of some or all of your data. Personal data that meets the requirements for erasure under our Data Retention Policy will be securely deleted or anonymised by us and our third-party data processors will be asked to do the same.

Please note, in some cases we may apply a longer data retention period to that stated in our Data Retention Policy such as where you have made a complaint or where we reasonably decide that data needs to be retained by us for legal or regulatory purposes (e.g. archiving CCTV footage beyond the usual 30-day retention period).

If you require further details of the data retention period for a specific service or category of personal data, you can contact the Data Protection Officer on DPO@gentinguk.com.

Your Data Protection Rights

14. Your data protection rights

Under the data protection laws, you have a number of rights in relation to your personal data. They are:

• The right to receive a copy of the personal data we hold about you (known as a Data Subject Access Request or DSAR), and to request confirmation if your personal data is being processed and how / why. Please note, we may refer you directly to this privacy notice in part satisfaction of this request;
• The right to ask us to correct any inaccurate data that we hold about you. You also have the right to ask us to complete information you think is incomplete;
• The right to request erasure of your personal data – also known as the “right to be forgotten”. We do not have to erasure your data where we are need to process it to comply with our legal obligations or the processing is necessary for the establishment, exercise or defence of legal claims. We will write to you to let you know if this is the case when you make an erasure request;
• The right to object to the processing of your personal data;
• The right not to be subject to decisions based solely on automated processing without human involvement, including in relation to direct marketing – we do not currently carry out data processing within the scope of this restriction;
• The right to restrict our processing of your personal data;
• The right to request a transfer of your personal data to another data controller (data portability); and
• The right to withdraw your consent at any time where we are processing your personal data solely on the basis of consent – this includes the right to withdraw your consent for direct marketing purposes.

YOUR RIGHTS: various conditions apply to these rights under the data protection laws so they are not always absolute - you can find more information on your rights and the conditions that apply via the ICO website here Your Data Rights.

We also maintain a Data Subject Rights Policy to show how we uphold your rights.

If you wish to exercise any of your data subject rights, please contact DPO@gentinguk.com.

Fees and additional information

In most cases, you will not have to pay a fee to access your personal data (or to exercise any of the other rights). We may charge a reasonable fee, however, if your request is clearly unfounded, repetitive or excessive. Alternatively, we might refuse to comply with your request in these circumstances. We will always let you know where this is the case and also reserve the right to inform the ICO of our decision.

If you make a request, we may need to ask for additional information from you to help us verify your identity and to process your right to access your personal data (or to exercise any of your other rights).

We aim to respond to requests within one month of the date of receipt, or the date of receipt of any identification documents from you, whichever is later. Occasionally, it could take us longer than one month if your request is particularly complex, or if you have made a number of requests (e.g. where you have requested CCTV footage that requires redaction). In this case, we will notify you and keep you updated.

Your right to complain to the ICO

You also have the right to make a complaint to the ICO, the UK regulator for data protection issues, if you are not happy with our data protection practices. Wherever possible, and in line with ICO guidance, please contact us in first via DPO@gentinguk.com so that we can try to resolve your complaint directly.

The ICO’s address is: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. ICO website: https://www.ico.org.uk

Updates

15. Updates

We may update this privacy notice if we make material changes to how we collect, process or look after your personal data. The latest version of this privacy notice is available via our website, Guest Services or from the Data Protection Officer on DPO@gentinguk.com.

Last Reviewed: August 2025

Next Review Due: August 2026

Genting Solihull Limited (t/a Resorts World Birmingham)

Summary of Data Processing Activities