The GDPR on the protection of personal data and privacy for all individuals within the European Union came into force on 25 May of this year. What is GDPR and how it affects companies operating in the field of online gambling – read in the review of Slotegrator.

What is GDPR

The GDPR is an abbreviation for the EU General Data Protection Regulation No. 2016/679, therefrom its message is clear.

GDPR contains 209 pages, including 99 articles and 173 recitals. It was developed and adopted by the European Parliament and the EU Council in spring 2016. The provisions of the GDPR entered into force two years later, after the transition period. The purpose of this document is strengthening the protection of and control over the use of personal data of all natural persons located on the territory of the European Union, including 28 countries. It also applies to the personal data exported outside the EU, particularly, on the trans-border flow of data.

GDPR automatically displays the effect of the previous document, Data Protection Directive No. 95/46/EC of 1995. In contrast, being a mandatory regulation, the GDPR does not require any legislative changes in each EU Member States.

Key Provisions of GDPR

The new law establishes the following principles of personal data processing based on

  • Legality, fairness, and transparency. The data shall be processed in legal, fair and transparent manner in relation to its owner – an individual.
  • Principles of Data Collection. Data must be collected for specified, clear and legitimate purposes and shall not be handled in the same manner incompatible with these purposes.
  • Data Minimization. Data should be collected only to the extent that sets a minimum needed for the purposes intended.
  • Accuracy. Personal data must be kept up to date where required, as well as be objective and accurate. 
  • Data Retention Periods. Data should be kept no longer than is necessary in relation to purposes for which it was collected or further processed. 
  • Data Integrity and Confidentiality. It is necessary to ensure the protection of personal data by using appropriate technical and organizational measures. 

Personal data are any information that identifies the data subject (an individual). In particular: name, surname, personal documents, location, online identifier, indicators of physical, religious, gender, economic, cultural, social, etc. identity and more.

In addition to the stated above, GDPR highlights the concept of "monitoring behaviour of data subjects". This includes the study of consumer behavior, preferences, etc. 
Respectively, these processes also fall under the requirements of the new law.

The legality of personal data processing is determined by the consent of the person to this procedure. The subject should also have a good understanding of the potential usage of the information.  Requirements for obtaining consent to data processing significantly tightened by the new law. 

Owner's consent must be expressed in the form of clear affirmative action. For example, fields that are already ticking the consent of "default" can now amount to a violation. After the person has agreed on the processing of the personal data, the company is obliged to clearly demonstrate this to them: to provide additional notification, to send a message, etc. 

Companies are required to notify the regulatory authorities, and in some cases, the owners of personal information, about any violations of their integrity or privacy. This must be done within 72 hours from the moment of detection of data outflow, hacking, etc. that occurred as a result of hacker attacks or other illegal actions, as well as in different circumstances. 

User Rights

GDPR determines that the user has a right to revoke his/her consent to the processing of personal data at any time. The ability to do this shall be available on the website so that people could easily find it. 

The particular innovation of this regulation is to authorize the user to transfer his/her personal data from one site to another – "Right to data portability". In this case, at the request of the client, the company must hand over an electronic copy of his/her personal data to another website. 

In addition, GDPR provides a right to erasure, also called a right to be forgotten. It gives the opportunity to remove the personal data if the person is against its transfer to third parties. 

Moreover, Europeans obtained an opportunity to request any information concerning their data processing: place, purpose, which third parties have access to it, processing periods, data origination, etc. Person can also make adjustments to the data if there are any inaccuracies. 

Liability and penalties for GDPR violation

European Data Protection Board (EDPB) was appointed as a supervisory and control body in accordance with the rules of GDPR. 

Failure to fulfill the requirements of GDPR entails the entrepreneur or organization to pay a fine of up to €20 million or up to 4% of the total annual turnover for the previous financial year depending on which of these numbers is bigger. And for minor violations the fine will be up to €10 million or 2% of the total annual turnover.

GDPR - Slotegrator

Whom does the GDPR affect?

GDPR separates two types of entities involved in the personal data processing: a data processor and a data controller.  

  • Controller is the person or organization that determines the purposes and means of collecting and processing of personal data.
  • Processor is an individual or organization that collects and processes personal data on behalf of the controller. 

The controller bears a heavier responsibility than the processor, since the latter one is merely an executor.

Thus, the first category of companies subject to GDPR are both European and foreign businesses engaged in activities associated with the offer of goods or services to the residents of the European Union. As long as the implementation of these activities requires the collection and processing of personal customer data. 

The second category are those companies that monitor behavioral characteristics and preferences of the EU citizens.

How GDPR will be applied in the CIS countries

In CIS, a large number of companies fall within the scope of the law. Including banks with offices in Europe (for example, Russian VTB Bank and Sberbank), and Internet companies that use cookies to monitor the European users.  

Betting and gambling sites providing services to the EU residents have to adhere to the new rules as well. Even despite the fact that the operator may not perform any actions directly on the territory of the EU as well as not have offices or contractors in Europe. 

Signs that the site services are targeted at Europeans:

  • Services are provided in the European languages;
  • Deposits are accepted in the local currencies; 
  • The site uses national top-level domain of the EU countries (".de", ".nl", ".uk", etc.). 

Recommendations to operators 

Those gambling projects that are targeted at European audience shall appoint a representative in the European Union. The representative has to act on behalf of the controller or processor, be eligible to interact with all EU regulators including the supervisory authorities.

If the company has headquarters, affiliated institutions or offices in the countries of the European Union, these may become the representatives. Moreover, European affiliate companies, for example, developers and providers of gaming software can become the representatives as well. 

European gambling software providers have already sent out the notifications to its customers concerning the processing of personal data. They also indicated the third parties that have access to your information and specified your rights of the data owner following the law.

Slotegrator experts advise operators of gambling sites to check out the personal data of all players as well as verify the systems that process it. And to establish the co-operation with these third parties in case they have access to your database. 

Still it is recommended to determine the minimum required amount of personal data, and the time during which this data needs to be stored. In addition, it is necessary to provide the procedures of transferring, adjusting and removing the data at the request of the owner. Another important point is a reporting to the regulator and the assignment of staff. 

Conclusion

GDPR is a new reality for companies operating on the European market. This document significantly enhances the level of personal data protection within the EU and beyond. Compliance with GDPR allows you not only to run a legal gaming business but also to take the maximum advantage of the European digital market. In this regard, submission to control of the European Commission will be a proof of online casino honesty and law abidance. That, in turn, will have a positive impact on the reputation and customer loyalty of the gaming house.