Friday, 12 July 2024

Gambling and GDPR – What companies active in the gambling industry need to know (and do) to protect players’ personal data concretely and effectively?

► BY ADELA NUȚĂ, MANAGING ASSOCIATE, BACIU PARTNERS

The gambling industry in its integrality is subject to multiple and rigorous legisla­tive oversight with clearly defined roles. These regulations seek to ensure not only compliance with industry-specific mandates but also, for example, the imperative of safeguarding players’ privacy, in strict adherence to the General Data Protection Regulation (GDPR).

 

► by ADELA NUȚĂ, MANAGING ASSOCIATE, BACIU PARTNERS

As players interact with various gambling ser­vices, whether at land-based locations or through online gaming platforms, it becomes imperative to ensure the full protection of their rights, particularly in terms of processing the personal data collected through these forms of enter­tainment.

It is primarily the responsibility of operators to ensure the confidentiality and security of players’ personal data, regardless of the gaming or gam­bling environment provided. However, in prac­tice, exercising players’ rights often raises signi­ficant challenges. These challenges emerge from the fact that requests are not always explicitly defined and address not only gaming-related aspects but also the broader spectrum of rights conferred by the GDPR.

This is exemplified by the requests from players who seek either permanent or temporary self-exclusion, often accompanied by the demand for the deletion of their gaming account and all associated data or request to cease access to gambling services, along with unsubscribing from marketing notifications. Furthermore, they might report unauthorized use of their gaming account and personal data, thereby seeking detailed information and access to these data.

Although, at first glance, such situations seem to pertain exclusively to the exercise of rights rela­ted to gaming activities, in reality, these requests have a complex and ambivalent nature. They require a careful and detailed approach from gambling operators, particularly regarding the protection of players’ personal data.

In such circumstances, it is important to em­phasize that, pursuant to article 15 of the GDPR, the player, in their capacity as the data subject, possesses the right to request from the data controller—specifically, the gambling operator, a confirmation regarding the processing of their personal data. Should the processing be con­firmed, the data subject is entitled to access these data and to exercise all the rights conferred by the GDPR.

foto source: Pete Linforth / Pixabay

Faced with such requests, gambling operators, accustomed rather to prioritizing operational aspects, risk neglecting their data protection obligations. It is imperative that, in the event of any such requests, several fundamental GDPR principles are adhered to:

INFORMATION: This aspect primarily involves providing complete and accurate information to the data subjects (players), ensuring a precise identification of the content of their requests, the rights they are entitled to, and their actual intentions. There can be instances where a player, under their usual understanding, assumes that a request for self-exclusion automatically en­compasses the deletion of their gaming account from the operator’s system, along with all related personal data, or they might explicitly request the deletion of the gaming account.

However, in practice, a request for self-exclusion does not imply any automatic data deletion and cannot be processed and resolved immediately, as the operator has a legal obligation to retain these data for a certain period, in accordance with gambling regulations and/or AML (Anti-Money Laundering) requirements, aspects about which the player must be clearly informed.

The entire informational process must be meticulously aligned with the response deadlines stipulated by the GDPR, which generally mandate a maximum response period of one month. This timeframe may only be extended under excep­tional circumstances and based on well-justified reasons, which must be communicated to the player in the most detailed manner possible from the initial interaction or within a subsequently reasonable timeframe.

TRANSPARENCY: Pursuant to article 12 of the GDPR, operators are required to communicate transparently and comprehensively with players regarding the resolution of their requests. In typical scenarios where a player requests information or reports improper uses of their gaming account, which inevitably involves the processing of their personal data, operators must provide players with complete information. This includes detailed explanations about the data collected, the purposes of processing, and any recipients to whom the data have been disclosed, ensuring that responses are not limited merely to operational or technical solutions.

Linguistic barriers can pose a substantial chal­lenge to ensuring effective and transparent communication with players, given their cultural and linguistic diversity. Providing responses solely in one language, typically the official language of the country where the gaming services are offered, often fails to meet the transparency requirements mandated by the GDPR. Therefore, it is imperative that information be meticulously translated and appropriately adapted to ensure it is accessible and comprehensible to all players.

DOCUMENTATION: Although operators are obligated to maintain strict records of their activities in accordance with specific gaming & gambling legislation, it is equally essential to maintain a distinct record concerning data processing activities. This necessity arises from article 30 of the GDPR, acting as the primary means by which the operator can substantiate to the Supervisory Authority that it has met its responsibilities in this regard.

PRESET RESPONSES: While the challenge of creating and maintaining suitable templates for players’ requests demands considerable resources and significant legal expertise, in practice, implementing such tools can prevent numerous inconveniences for operators. This is especially crucial as operators’ initial interface with players is often through their employed personnel, who may not always be adequately trained or receptive enough to analyze the specific circumstances of each request.

MONITORING: The variety of channels available for players to submit their requests (including email, phone, online support platforms, or even in-person registration) can potentially lead to challenges in effectively centralizing them or ensuring they are not overlooked by automated data processing systems. For instance, a player may request to unsubscribe from marketing communications via email or another opt-out option, yet without proper processing by the operator’s implemented system, such a request might be overlooked, thereby allowing the player to continue receiving marketing messages, which contravenes GDPR requirements.

Another frequently encountered scenario is when the operator accepts a self-exclusion request solely in terms of confirming it, yet fails to implement appropriate measures to prevent the transmission of promotional materials to the player. This approach erroneously assumes continued consent under GDPR guidelines, thus constituting a serious violation of obligations under both gambling laws and GDPR regulations.

COMPLIANCE: Upholding GDPR standards entails the implementation of rigorous internal procedures and the deployment of integrated IT systems capable of managing all player communications channels. These systems must be capable of processing requests from various sources and centralizing them in a unified registry. Furthermore, they should also monitor and alert staff regarding deadlines to ensure no requests are overlooked until the resolution process is completed.

BACIU PARTNERS

Lastly, it is imperative to emphasize that failure by data controllers to substantiate compliance with GDPR requirements concerning the rights of data subjects could lead to imposing substantial penalties by regulatory authorities. Noteworthy instances include Spotify, which was fined approximately five million euro for deficiencies in managing the rights of data subjects, and Google Belgium, which faced a sub­stantial fine of 600,000 euro for non-compliance with the right to be forgotten of data subjects.

In conclusion: safeguarding players’ personal data is not merely a legal obligation but also a vital element in fostering their trust in the services provided. In an era where data privacy is increasingly valued, gambling operators must handle each player request with the utmost diligence to safeguard both their reputation and the future of their business.





Author: Editor

Share This Post On

Submit a Comment

Your email address will not be published.