GDPR for Online Casinos

As an Online Casino company (based in the EU), it is especially important to comply strictly with the General Data Protection Regulation (GDPR). This is because of the sensitivity of the personal data online casinos process, the amount of data, purposes of processing with high impact (like marketing) and additional legislative requirements from licensing jurisdictions.

But how to accomplish compliance to the GDPR as an Online Casino company?

This article will point out the following subjects:

• A brief history of the GDPR;
• Why it is extra important to comply for casinos;
• How to write a Privacy Policy (and how to comply in general).

Want to know more about this subject? XYLS offers you a free scan of your Privacy Policy, with a 30-minute consult. Interested? Contact us directly via email: info@xyls.nl or leave your contact details in the form on our website.

With regards to data protection in general, Europe actually made the first steps in Article 8 of the European Convention on Human Rights (ECHR, 1953). Although it isn’t nearly as extensive as privacy legislation is today, it still provides clear foundations for modern European privacy laws. The article reads: 

“1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”

In 1981, the Council of Europe established standards with the purpose to ensure free flow of information throughout EU Member States. These standards were written down in ‘The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data’.

During the 80s and 90s, availability of computers exploded, and by 1995 millions of people throughout the EU were regularly using the internet. At this point, it was clear that the ECHR articles (8, as well as 10 which focuses on freedom of expression) and the convention from 1981 were inadequate when it came to ensuring data protection. In 1995, the Data Protection Directive (DPD) was enacted. This Directive required EU Member States to develop laws which would be able to meet rigorous minimum standards regarding computers and data processing.

More and more EU Member States started to act on the DPD. But, as the EU started to unify more and more, talks about unifying data protection legislation as well began. These talks, by the way, being accompanied by growing worries about data processing. In 2016, the General Data Protection Regulation (GDPR) was developed as a result of these discussions.

Every organization which operates within the EU has to comply with the GDPR. However, it is extra important to comply for certain organizations. It would be logical to state that Online Casino companies should also fall under this category. Why? Because of an increased duty of care regarding personal data:

Online Casinos deal with very sensitive data

First of all, playing games of chance is in a lot of cases seen as something people are not proud of. This means that, if you agree with it or not, being extra careful with this data is important. Looking at the GDPR, chances are big that online casinos process data concerning health, article 4 sub 15 GDPR:

“15. ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”

Data concerning health is seen as a special category of personal data (see Article 6 sub 4c and Article 9 GDPR). And when would online casinos be dealing with this category of personal data? When talking to persons with serious gambling issues, for instance.

Of course, financial information of persons could also be regarded to as sensitive.

Online Casinos deal with a lot of personal data

Online Casino companies receive a lot of personal data. Think of the following:

• Address information;
• Copies of passport/ID/driver’s license;
• Financial information (think of bank statements or even paychecks, which could be necessary for certain AML checks);
• Gambling of a person behavior in general.

Needless to say, Online Casino Companies process a lot of information and should for that reason be extra careful and extra transparent.

Purposes of processing personal data with certain impacts

Online Casino companies have the ability, when of course receiving an ‘okay’, to process personal data for marketing purposes. Think of sending emails on new promotions, or even text messages. Marketing is a very common purpose for processing personal data. But for Online Casino companies, it is important to keep in mind that gambling related marketing could trigger a person to gamble (which can be addictive).

Legislative requirements within licensing jurisdictions

Within licensing jurisdictions, it could be that there are additional (or deviating) legislative requirements when it comes to processing personal data. The Dutch ‘Besluit Werving, reclame en verslavingspreventie kansspelen’ (Paragraph 6) contains a rather extensive list on storing and processing personal data.

Complying with the GDPR isn’t easy, especially for Online Casino companies. However, there are some steps that could lead to better compliance:

GDPR knowledge

Most Online Casino companies have a compliance department. Logical, because of the legislative requirements from licensing jurisdictions. Besides that, it’s recommended to get your legal department up to date on GDPR. Even having a specific Data Protection Officer (DPO) could be a very sufficient option.
– Setting up a Privacy Statement
A Privacy Statement is mandatory. But how do you set this up? Below we’ll cover the 8 steps when writing your Privacy Policy:

1. Start with an introduction. Who are you? And why are you processing personal data?
2. Information about the personal data that is being processed. Explain what data is being processed, in a specific way.
3. Name the grounds for processing personal data. Legitimate interest, consent, complying with legal obligations: name them all!
4. State the purposes for processing personal data. Of course, make sure you do this extensively. Describe anything from sending newsletters to CRM Systems.
5. Provide information on how long data is being stored. Name the periods for storing data specifically, per data processing purpose.
6. Provide information on parties you share personal data with. Think of accountants, marketing companies and government agencies.
7. Explain data security. How are you making sure you are protecting personal data?
8. Rights. Explain the rights a person has regarding the data you are processing. The right to action, right to rectification, right to data portability and so on.

Internal GDPR Documentation

Make sure you have internal GDPR documentation. Varying from an internal Privacy Statement to a Data Leaks Protocol. Also, having a Processing Register can be helpful (and in most cases, mandatory). Also, be sure to have Data Processing Agreement templates which you can have signed by processing parties (ensuring a safe way of using the data).

The GDPR can be rather difficult to interpret. Working together with a legal partner with knowledge about the GDPR as well as (legal aspects of) Online Gambling could make life easier. XY Legal Solutions can assist you properly, for instance through a Compliance Agreement. Want to know more? Reach out to us via the form below!