Since 2020, XYLS has been actively working for Air Dice, a group of companies focused on design and implementation of iGaming software, and the licensing of this software to other companies for operation. Air Dice has active locations and operations within, among others, the following jurisdictions:
XYLS actively serves the group, and was able to assist Air Dice in obtaining ISO 27001 certification in 2021. XYLS services Air Dice by means of a Legal Services Agreement. Air Dice CEO Sami Mäkinen said the following about the services provided:
“Air Dice is a specialist supplier of unique online gambling games. We are rapidly expanding to new jurisdictions. In this world of rapidly evolving (contractual) compliance, as well as our need to obtain ISO 27001 certification, we needed a legal partner who would get to know our business, so that we could treat them just the same as an in-house legal team. With XY Legal Solutions, we were able to reach a low threshold quick response working model to suit our needs.”
Air Dice is active within the iGaming sector, making GDPR awareness an important part of doing business. Air Dice installed a DPO (a person or company controlling al privacy related matters) for the group, working out of the Helsinki offices. In cross-border business activities, it is common to have a DPO structure like the one Air Dice has. Improvement is possible though, by installing DPO’s per jurisdiction. XYLS thus proposed to Air Dice to become external DPO for Air Dice Services Benelux, located in the Netherlands.
First of all, it is good to provide some information on the external DPO structure. A lot of companies actually think that a DPO should always be an employee of the company itself. This isn’t the case. In the Guidelines on Data Protection Officers, the writers of the GDPR (the ‘Working Party on the protection of individuals with regard to the processing of personal data’) explain that installing an external DPO is very much possible because of the existence of clause 37 sub 6 of the GDPR:
“The data protection officer may be a staff member of the controller or processor, or fulfil tasks on the basis of a service contract.”
Furthermore, the Working Party explains that competence is most important. So having an external DPO could actually be a much better solution if there is no knowledgeable person working within the company.
Based on the above, XYLS proposed the structure to Air Dice. Furthermore, the Dutch Autoriteit Persoonsgegevens explains what a DPO should know and be capable of. Below, these points are being explained in light of the Air Dice structure:
XYLS has been active in the field of GDPR and privacy legislation for years. XYLS also works as an external DPO within other organizations, and also has the necessary knowledge of large-scale GDPR projects.
XYLS has been heavily involved with GDPR related matters for Air Dice already, making the step to become DPO a reasonable one.
XYLS recently obtained the ISO 27001 certificate (for an information security management system) for Air Dice, a software company in its core.
XYLS is a niche company within the iGaming sector, with a broad focus on both the GDPR and gambling legislation. Being a Dutch company, XYLS speaks the right language to communicate with the relevant authorities, representing the organization (which is by law expected of a DPO).
XYLS has been actively involved in setting up internal privacy measures to ensure awareness across the whole Air Dice group, Air Dice Services Benelux included.
The information above led Air Dice to conclude that having XYLS as an external DPO would be a perfect solution for Air Dice Services Benelux.