C.A. LUCA Mihai Cătălin
C.A. LUCA Mihai Cătălin
While the GDPR has been in effect since 25 May 2018 and implemented in the national legislation under Law no. 190/2018, the provisions of these two legislative acts lead to enhanced interest among the gambling organizers who, by the nature of their activity, are also acting as controllers (of personal data).
One of the GDPR chapters under intense media scrutiny is concerning the sanctions to be applied by the relevant authorities in this industry, in case the obligations incumbent to the controllers of personal data are not observed.
The GDPR regulates two types of sanctions. Corrective sanctions aiming to limit the adverse effects of an improper personal data processing, on the one hand, and administrative fines ordered as a supplement for, or in lieu of, the corrective measures, on the other.
The corrective measures ANSPDCP may adopt with respect to the GDPR are the following:
- a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of GDPR;
- b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of GDPR;
- c) to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to GDPR;
- d) to order the controller or processor to bring processing operations into compliance with the provisions of GDPR;
- e) to order the controller to communicate a personal data breach to the data subject;
- f) to impose a limitation or a ban on processing;
- g) a possibility to order the rectification or erasure of personal data or restriction of processing and the notification of such actions to recipients to whom the personal data have been disclosed;
- h) a possibility to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43 of GDPR, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;
- i) a possibility to order the suspension of data flows to a recipient in a third country or to an international organization.
The previous corrective measures are not exhaustive, which enables each Member State to also regulate other such measures in its domestic law.
In the domestic legislation, Law no. 190/2018 only covers expressly the issues pertaining to the application of the corrective measures with respect to the public authorities and bodies.
Regarding the second category of sanctions, i.e. administrative fines, according to the information made available to the public, ANSPDCP has applied, pursuant to the GDPR, three misdemeanor fines.
In this context, it is worth reminding that the fines under the GDPR are concerning two categories of deeds.
The first one, including, for instance, the infringement of the obligations to implement all appropriate technical and organizational measures with a view to ensuring a level of security corresponding to the risk or the failure to notify the supervisory authority about the personal data breach is punishable by administrative fines of up to EUR 10,000,000 or, for enterprises, up to 2% of their total worldwide annual turnover of the preceding financial year, whichever is higher.
The second one, including, for instance, the breach of the basic processing principles, including the terms on consent, or the breach of the data subjects’ rights is punishable by administrative fines of up to EUR 20,000,000 or, for enterprises, up to 4% of their total worldwide annual turnover of the preceding financial year, whichever is higher.
The decision to apply an administrative fine as well as the decision on the worth of such fine should rely on a thorough assessment, one that would cover, inter alia, the following issues: (i) the nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected by such and the level of damage suffered by them; (ii) whether or not the infringement has been committed with intent or recklessly; (iii) any relevant infringements the controller or processor may have committed previously; or (iv) any other aggravating or mitigating factor that may apply to the circumstances of that case, such as financial benefits acquired or losses avoided, directly or indirectly, following the infringement.
Far from dwelling in the shadows of the past, as can be easily observed, the GDPR topic is now doubled by the need to align the practices with the recently adopted regulations in the matter of prevention and combating money laundering and financing of terrorism– Law no. 129/2019 (hereinafter the “AML Law”), especially by the gambling organizers, as reporting entities expressly covered by this law.
The AML Law transposes in Romania Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC.
An issue of interest to gambling organizers is that the AML Law appoints the National Gambling Office (hereinafter “ONJN”) as the regulatory, supervisory and controlling authority.
In this capacity, the ONJN is authorized, inter alia, to conduct assessments on the risk of the crime phenomena of money laundering and terrorist financing occurring at sectoral level, being able to issue regulations or instructions on the risk factors, along with countering and mitigating measures.
Furthermore, presumably one of the most important attributions granted to ONJN under the AML Law is that, with respect to gambling organizers, the latter is the authority empowered to ascertain and impose penalties for any misdemeanors falling under the scope of the AML Law and allowed to apply additional specific sanctioning measures, in line with its existing jurisdiction.
The authority coordinating the money laundering and terrorist financing risk assessment at domestic level (in close cooperation with the ONJN and other designated authorities) is the National Office for Prevention and Control of Money Laundering (hereinafter the “Office”).
As the Romanian institution for collecting financial information, the Office’s duties include receiving reports on the transactions provided by the AML Law, from the reporting entities.
We shall detail below a number of obligations incumbent to the gambling organizers according to the new AML legislation.
Obligations to report
As reporting entities, the gambling organizers have an obligation to submit to the Office a report on suspicious transactions, in the cases provided under the law, as a rule, before a transaction is executed by a specific client, when such execution is related to the reported suspicion.
There is also the need to report to the Office the (non-suspicious) transactions in cash, in lei or foreign currency, with a floor amounting to the lei-equivalent of EUR 10,000, in no more than 3 business days from the execution of the transaction.
However, should these transactions be carried out through a credit or financial institution, the obligation to report is incumbent to the latter, except for the operations pertaining to the money issuance activity, which shall be reported to the Office by the reporting entities, as reports on the transfer of funds with a floor amounting to the lei-equivalent of EUR 2,000.
Obligation to apply know-your-customer measures
The AML Law expressly provides that gambling organizers have an obligation to apply the regulated standard know-your-customer measures (such as verifying their customers’ ID by checking their respective identity documents), inter alia, upon collecting winnings, buying or exchanging chips, when performing transactions in a minimum amount of the equivalent in RON of at least EUR 2,000 in a single transaction.
This obligation translates in that the application of the standard know-your-customer measures is required for the operations of collection as well as award of the winnings, when this type of transactions, as a one-off operation, have a floor amounting to the lei-equivalent of EUR 2,000.
Furthermore, the gambling organizers have, as reporting entities, an obligation to have appropriate risk management systems in place, including procedures based on risk assessment, to establish if a customer or their real beneficiary, within the meaning of the law, is a publicly exposed person.
The case of a customer or their real beneficiary being a publicly exposed person is counted among the situations provided under the AML Law being likely to generate an increased money laundering or terrorist financing risk, where the obligation to apply additional know-your-customer measures comes into effect.
These additional measures include: obtaining the approval of the higher management for establishing or continuing the business relation with these persons, taking appropriate measures to establish the source of the wealth and funds involved in the business relationship or the transactions with these persons, a permanent and increased monitoring of said business relations.
The AML Law also provides for situations where the reporting entities might apply simplified know-your-customer measures with respect to the customers classified as a low-risk. However, we considered that they should not be dealt with in this article, given that for the gambling industry, specifically regulated by the AML Law, it is very unlikely for risk assessment to lead to a low-risk classification conclusion.
To conclude, the new AML Law brings with it new challenges, including for gambling organizers, by doubling the efforts of economic operators, which are still “fighting” for a full compliance with the GDPR requirements.