New requirements for the identification of individuals and the establishment of databases – a privacy perspective
► COSMINA MARIA SIMION, PARTNER, SIMION & BACIU
► PETRUȘ PARTENE, ASSOCIATE, SIMION & BACIU
The recent legislative amendments brought by Law No. 326/2022 amending and supplementing Government Emergency Ordinance No. 77/2009 on the organization and operation of games of chance impose a set of new obligations on gambling operators. In summary, gambling operators will have:
(i)
the obligation to have the necessary technical means for the establishment of databases on self-excluded and undesirable persons in order to obtain the authorization to operate games of chance;
(ii)
the obligation to identify the persons entering the premises where gambling activities take place and to keep a record, in electronic format, of their identification data, the databases thus constituted being archived by the operator and kept for a minimum period of 5 years from their creation, and,
(iii)
the obligation for organizers of games of chance to establish, in electronic format, databases relating to self-excluded and undesirable persons, the databases thus established being archived by the operator and kept for at least 5 years after their creation.
Although we expect the methodological norms to elaborate on how such obligations should be implemented, it is important to emphasize that the implementation of such obligations must be done taking into account the applicable rules on the protection of personal data. Thus, below we captured some of the aspects that need to be addressed in this context.
establishment of databases – a privacy perspective
What is the basis for processing this data?
The data will be processed for the fulfilment of a legal obligation incumbent on the gambling operators, which is permitted under the applicable personal data protection requirements.
What personal data can I process?
To answer this question, gambling operators must take into account the principle of data minimization, i.e., the processing of only that data that is adequate, relevant and limited to what is necessary in relation to the purposes of the processing. We do not rule out the possibility that the legislator, by amending the methodological norms, may lay down the exact data to be reflected in the databases. However, in the absence of such indications, practices whereby more data are collected than the ones strictly necessary for identification (e.g., contact data) or whereby copies of players’ identity documents are made should be avoided.
Can I carry out the identification and registration procedures by automated means?
There is nothing to prevent the implementation of a system whereby access to the premises is based on the scanning of certain documents (e.g., identity card, driving license). However, such a system must be designed to perform only those activities strictly necessary to fulfil legal obligations – it must be able to read only the relevant data and reflect it accordingly into the database, and not to store in any way the documents subject to automated verification.
Is it necessary to inform players about this processing activity?
Even if the processing is based on a legal obligation imposed on the gambling operators, this does not affect the right of the data subject to be informed about this processing activity. Therefore, gambling operators need to update their procedures on the processing of personal data to ensure that data subjects are correctly informed about this personal data processing activity.
How long do I have to store individuals’ data in databases?
The legal provisions require a minimum period – 5 years. After 5 years, we consider that the controller should analyze whether these data are still necessary to be processed (there can be also other purposes for processing, such as a request for information from the National Gambling Office). If the answer is affirmative, the data can be kept further. If the answer is negative, the controller is required to anonymize or delete the information reflected in the database.
Depending on the decision of the legislator on how to implement these obligations, there may be other issues that are relevant to this discussion. In the meantime, we consider that the aspects outlined above are a good starting point for operators to ensure that the identification of individuals and the compilation of databases are carried out in full observance of the protection of personal data provisions.
