As an Online Casino company (based in the EU), it is especially important to comply strictly with the General Data Protection Regulation (GDPR). This is because of the sensitivity of the personal data online casinos process, the amount of data, purposes of processing with high impact (like marketing) and additional legislative requirements from licensing jurisdictions.
But how to accomplish compliance to the GDPR as an Online Casino company?
This article will point out the following subjects:
With regards to data protection in general, Europe actually made the first steps in Article 8 of the European Convention on Human Rights (ECHR, 1953). Although it isn’t nearly as extensive as privacy legislation is today, it still provides clear foundations for modern European privacy laws. The article reads:
“1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”
In 1981, the Council of Europe established standards with the purpose to ensure free flow of information throughout EU Member States. These standards were written down in ‘The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data’.
During the 80s and 90s, availability of computers exploded, and by 1995 millions of people throughout the EU were regularly using the internet. At this point, it was clear that the ECHR articles (8, as well as 10 which focuses on freedom of expression) and the convention from 1981 were inadequate when it came to ensuring data protection. In 1995, the Data Protection Directive (DPD) was enacted. This Directive required EU Member States to develop laws which would be able to meet rigorous minimum standards regarding computers and data processing.
More and more EU Member States started to act on the DPD. But, as the EU started to unify more and more, talks about unifying data protection legislation as well began. These talks, by the way, being accompanied by growing worries about data processing. In 2016, the General Data Protection Regulation (GDPR) was developed as a result of these discussions.
Every organization which operates within the EU has to comply with the GDPR. However, it is extra important to comply for certain organizations. It would be logical to state that Online Casino companies should also fall under this category. Why? Because of an increased duty of care regarding personal data:
First of all, playing games of chance is in a lot of cases seen as something people are not proud of. This means that, if you agree with it or not, being extra careful with this data is important. Looking at the GDPR, chances are big that online casinos process data concerning health, article 4 sub 15 GDPR:
“15. ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”
Data concerning health is seen as a special category of personal data (see Article 6 sub 4c and Article 9 GDPR). And when would online casinos be dealing with this category of personal data? When talking to persons with serious gambling issues, for instance.
Of course, financial information of persons could also be regarded to as sensitive.
Online Casino companies receive a lot of personal data. Think of the following:
Needless to say, Online Casino Companies process a lot of information and should for that reason be extra careful and extra transparent.
Online Casino companies have the ability, when of course receiving an ‘okay’, to process personal data for marketing purposes. Think of sending emails on new promotions, or even text messages. Marketing is a very common purpose for processing personal data. But for Online Casino companies, it is important to keep in mind that gambling related marketing could trigger a person to gamble (which can be addictive).
Within licensing jurisdictions, it could be that there are additional (or deviating) legislative requirements when it comes to processing personal data. The Dutch ‘Besluit Werving, reclame en verslavingspreventie kansspelen’ (Paragraph 6) contains a rather extensive list on storing and processing personal data.
Complying with the GDPR isn’t easy, especially for Online Casino companies. However, there are some steps that could lead to better compliance:
Most Online Casino companies have a compliance department. Logical, because of the legislative requirements from licensing jurisdictions. Besides that, it’s recommended to get your legal department up to date on GDPR. Even having a specific Data Protection Officer (DPO) could be a very sufficient option.
– Setting up a Privacy Statement
Make sure you have internal GDPR documentation. Varying from an internal Privacy Statement to a Data Leaks Protocol. Also, having a Processing Register can be helpful (and in most cases, mandatory). Also, be sure to have Data Processing Agreement templates which you can have signed by processing parties (ensuring a safe way of using the data).
The GDPR can be rather difficult to interpret. Working together with a legal partner with knowledge about the GDPR as well as (legal aspects of) Online Gambling could make life easier. XY Legal Solutions can assist you properly, for instance through a Compliance Agreement. Want to know more? Reach out to us via the form below!