XY Legal Solutions (XYLS) as external Data Protection Officer (DPO) for Air Dice Services Benelux

Since 2020, XYLS has been actively working for Air Dice, a group of companies focused on design and implementation of iGaming software, and the licensing of this software to other companies for operation. Air Dice has active locations and operations within, among others, the following jurisdictions:

  • Finland (Headquarters located in Helsinki);
  • Malta;
  • The Netherlands;
  • Belgium;
  • The UK;
  • South Africa.

XYLS actively serves the group, and was able to assist Air Dice in obtaining ISO 27001 certification in 2021. XYLS services Air Dice by means of a Legal Services Agreement. Air Dice CEO Sami Mäkinen said the following about the services provided:

“Air Dice is a specialist supplier of unique online gambling games. We are rapidly expanding to new jurisdictions. In this world of rapidly evolving (contractual) compliance, as well as our need to obtain ISO 27001 certification, we needed a legal partner who would get to know our business, so that we could treat them just the same as an in-house legal team. With XY Legal Solutions, we were able to reach a low threshold quick response working model to suit our needs.”

DPO structure Air Dice Group

Air Dice is active within the iGaming sector, making GDPR awareness an important part of doing business. Air Dice installed a DPO (a person or company controlling al privacy related matters) for the group, working out of the Helsinki offices. In cross-border business activities, it is common to have a DPO structure like the one Air Dice has. Improvement is possible though, by installing DPO’s per jurisdiction. XYLS thus proposed to Air Dice to become external DPO for Air Dice Services Benelux, located in the Netherlands.

XYLS as DPO for Air Dice Services Benelux: benefits explained

First of all, it is good to provide some information on the external DPO structure. A lot of companies actually think that a DPO should always be an employee of the company itself. This isn’t the case. In the Guidelines on Data Protection Officers, the writers of the GDPR (the ‘Working Party on the protection of individuals with regard to the processing of personal data’) explain that installing an external DPO is very much possible because of the existence of clause 37 sub 6 of the GDPR:

“The data protection officer may be a staff member of the controller or processor, or fulfil tasks on the basis of a service contract.”

Furthermore, the Working Party explains that competence is most important. So having an external DPO could actually be a much better solution if there is no knowledgeable person working within the company.

Based on the above, XYLS proposed the structure to Air Dice. Furthermore, the Dutch Autoriteit Persoonsgegevens explains what a DPO should know and be capable of. Below, these points are being explained in light of the Air Dice structure:

  • Experience with privacy as a legal subject and privacy legislation (The law requires expertise and skills that in any case include: knowledge of national and European privacy laws and regulations on data processing):

XYLS has been active in the field of GDPR and privacy legislation for years. XYLS also works as an external DPO within other organizations, and also has the necessary knowledge of large-scale GDPR projects.

  • The (external) DPO must have knowledge of the data processing carried out by the organization:

XYLS has been heavily involved with GDPR related matters for Air Dice already, making the step to become DPO a reasonable one.

  • Knowledge of information security and IT must be present:

XYLS recently obtained the ISO 27001 certificate (for an information security management system) for Air Dice, a software company in its core.

  • The DPO must have knowledge of the organization and the sector in which it operates:

XYLS is a niche company within the iGaming sector, with a broad focus on both the GDPR and gambling legislation. Being a Dutch company, XYLS speaks the right language to communicate with the relevant authorities, representing the organization (which is by law expected of a DPO).

  • A DPO must have skills to develop a culture of (proactive) data protection at the organization:

XYLS has been actively involved in setting up internal privacy measures to ensure awareness across the whole Air Dice group, Air Dice Services Benelux included.

The information above led Air Dice to conclude that having XYLS as an external DPO would be a perfect solution for Air Dice Services Benelux.

Want to know more?

Are you interested in the external DPO structure as described above? Please contact us, as our consultants will explain more.