New requirements for the identification of individuals and the establishment of databases – a privacy perspective

Thursday, 29 December 2022




The recent legislative amendments brought by Law No. 326/2022 amending and supplementing Government Emer­gency Ordinance No. 77/2009 on the organi­zation and operation of games of chance impose a set of new obligations on gambling operators. In summary, gambling operators will have:

the obligation to have the neces­sary technical means for the establish­ment of databases on self-exclu­ded and unde­si­rable persons in order to obtain the authori­za­tion to operate games of chance;

the obligation to identify the persons entering the premises where gam­bling activities take place and to keep a record, in electronic format, of their identification data, the databases thus con­stituted being archived by the operator and kept for a minimum period of 5 years from their crea­tion, and,

the obligation for organizers of games of chance to establish, in electronic format, databases relating to self-excluded and unde­sirable persons, the databases thus esta­blished being archived by the operator and kept for at least 5 years after their creation.

Although we expect the methodological norms to elaborate on how such obligations should be implemented, it is important to emphasize that the implementation of such obligations must be done taking into account the applicable rules on the protection of personal data. Thus, below we captured some of the aspects that need to be addressed in this context.

establishment of databases – a privacy perspective

establishment of databases – a privacy perspective

What is the basis for processing this data?

The data will be processed for the fulfilment of a legal obligation incumbent on the gambling operators, which is permitted under the applicable personal data protection requirements.


What personal data can I process?

To answer this question, gambling operators must take into account the principle of data minimization, i.e., the processing of only that data that is adequate, relevant and limited to what is necessary in relation to the purposes of the processing. We do not rule out the possibility that the legislator, by amending the methodo­logical norms, may lay down the exact data to be reflected in the databases. However, in the absence of such indications, practices whereby more data are collected than the ones strictly necessary for identification (e.g., contact data) or whereby copies of players’ iden­tity documents are made should be avoided.


Can I carry out the identification and registration procedures by automated means?

There is nothing to prevent the implementation of a sys­tem whereby access to the premises is based on the scan­ning of certain documents (e.g., identity card, driving license). However, such a system must be designed to perform only those activities strictly necessary to fulfil legal obligations – it must be able to read only the relevant data and reflect it accordingly into the database, and not to store in any way the documents subject to automated verification.


Is it necessary to inform players about this processing activity?

Even if the processing is based on a legal obligation imposed on the gambling operators, this does not affect the right of the data subject to be informed about this processing activity. Therefore, gambling operators need to update their procedures on the processing of personal data to ensure that data subjects are correctly informed about this personal data processing activity.

How long do I have to store individuals’ data in databases?

The legal provisions require a minimum period – 5 years. After 5 years, we consider that the controller should analyze whether these data are still necessary to be processed (there can be also other purposes for processing, such as a request for information from the National Gambling Office). If the answer is affirmative, the data can be kept further. If the answer is negative, the controller is required to anonymize or delete the information reflected in the database.

Depending on the decision of the legislator on how to implement these obligations, there may be other issues that are relevant to this discussion. In the meantime, we consider that the aspects outlined above are a good starting point for operators to ensure that the identi­fication of individuals and the compilation of data­bases are carried out in full observance of the protection of personal data provisions.

Author: Editor

Share This Post On

Submit a Comment

Your email address will not be published.