On October 22, 2020, we at XY Legal Solutions, made use of a consultation option with the Dutch Gaming Authority. In this consultation we wrote about the GDPR. This consultation focused on the draft version of the responsible gaming policy. In our consultation we wrote the following about the GDPR and data processing in gambling addiction:
“In the context of article 3.1.13, I will discuss a number of points that affect, among other things, the GDPR legislation.Article 3.1.13 pertains to the analysis of data relating to the gambling behavior of the player (interaction and coherence between data, from which the license holder can deduce that there is a reasonable suspicion of excessive participation in games of chance or risks of gambling addiction). First of all, paragraph 2 of this article indicates that the findings of the analysis must be recorded in writing. I think it would be useful to add a definition of “written” to the policy document itself, or to define it in the provision itself. Does this really concern hard copy? Or is writing in this context also simply “digital writing”, as is fairly common nowadays? And is it possibly useful to point out a GDPR-compliant way of protecting this data? It also appears from explanations that the discussed analysis can be carried out by a professional (or even by means of statistical models). When we speak of a professional, it is in fact a third party. As a processor, this third party will process data for the controller: the license holder. Perhaps it is therefore important to set certain requirements for this professional.
The data collected in the context of addiction prevention can be regarded as very privacy-sensitive. With Article 9 of the GDPR in mind, it could even be argued that special categories of personal data are being processed. Gambling addiction, especially when there is an official diagnosis, can then be classified under “data on health”. It can also be clearly established that in the context of Article 3.1.13 there is ‘processing’ of personal data (see Article 4 GDPR). In fact, data can lead to intervention measures (unsolicited for the consumer) (Article 3.1.14 et seq.).
Protecting consumers when it comes to addiction prevention is of course very important. But with the intensive focus on addiction prevention that is expected of licensees, there is a good chance that a GDPR compliant working method will be more difficult. Not only the license holder is obliged to provide far-reaching insights: in certain cases it is indicated that they can also engage third parties for this.
The role of license holders in the context of addiction prevention provides a method that is abrasive with the GDPR, if there is uncertainty about this and if implementation is carried out inadequately.”
On 3 February (2021), a Dutch advisory body (the ‘Raad van State’) advised on the Remote Gaming Decree. Although this concerns different regulations than those we have consulted about, there are many similarities in this advisory report. For example, many of our mentioned GDPR points are discussed, such as the extra guarantees required for ‘health data’: “In addition, games of chance may include data that are classified under the GDPR as “special” personal data, since data about (possible) gambling addiction are data about health. Processing of such data must also be necessary for compelling reasons of public interest, in this case the prevention and control of gambling addiction. (see note 46) In view of the basis for the registration obligation in the (amended) Betting and Gaming Act adopted by the legislator, this measure is considered necessary and proportional.” It is interesting for us to see how much the GDPR is part of the coming legislation. At XY Legal Solutions we focus on online games of chance and we are also working on the GDPR on a daily basis. Do you have questions about the GDPR implementation at your online gaming organization? Don’t hesitate to contact us. You can send an email to firstname.lastname@example.org.