XY Legal Solutions (XYLS) as external Data Protection Officer (DPO) for the Dutch iGaming Industry

XYLS is actively working as Data Protection Officer (DPO) for various iGaming Companies with a Dutch Focus (read one of our business cases here). We are supporting development companies, affiliate companies and operators with our General Data Protection Regulation (GDPR) related services. At XYLS, we have a strong focus on the iGaming industry, where we advise on legislative matters (compliance), strategy and business opportunities. As we are also actively engaged in GDPR related matters, this makes for a great combination for Dutch focused iGaming companies. So, first of all, why is it so important to have a DPO when you’re active in the world of iGaming?

Reasons for having a DPO within the (Dutch) iGaming Industry

First of all, it is relevant to explain more about the position of a DPO. Article 37 of the GDPR points out, in sub 1 (a – c), situations in which a DPO is necessary:

  1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  1. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  2. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.

In sub b and c, it is stated that a DPO is needed when you are regularly and systematically monitoring data subjects ánd if the core activities consist of processing on a large scale. Next to that, special categories (like healthcare information) is named. So when we look at the operations of an online casino for instance, we could conclude that a DPO would be necessary because of the following:

  • Monitoring takes place on a large and consistent scale. Think of Wwft (AML) related monitoring (of players and their transactions), or monitoring which is related to responsible gambling.
  • For most online casino’s, there is a lot of personal data being processed as it is pretty common to have thousands of active players on your platform. The Dutch iGaming legislation requires identification (and verifying identification) of players, as well as collecting other personal information (financial information for instance).
  • When it comes to sub c, special categories of data, we should point out that it is a great possibility for online casino’s to encounter information about someone’s healthcare status. This could be the case when a player is being approached after a period of excessive gambling.

So, having a DPO is something to consider in light of GDPR compliance. Next to that, a DPO is capable of assisting your company, your employees and to answer questions coming from players. The DPO will have a direct line of contact with the Autoriteit Persoonsgegevens (AP), which can prove valuable in certain ‘interpretation related’ questions.

Benefits of working with XYLS as external DPO

People often actually think that a DPO should always be actively working for the company (as an internal employee. But that’s a wrong assumption. In the Guidelines on Data Protection Officers, the ‘GDPR writers’ (the ‘Working Party on the protection of individuals with regard to the processing of personal data’) inform us that putting an external DPO in place is very much possible because of the existence of clause 37 sub 6 of the GDPR:

“The data protection officer may be a staff member of the controller or processor, or fulfil tasks on the basis of a service contract.”

Furthermore, the Working Party explains that competence of the DPO is very important. So looking at this, it could be concluded that having an external DPO could even be more valuable than having an internal DPO.

Furthermore, the Dutch Autoriteit Persoonsgegevens explains what a DPO should know and be capable of. Below, these points are being explained in light of our competence:

  • Experience with privacy as a legal subject and privacy legislation (The law requires expertise and skills that in any case include: knowledge of national and European privacy laws and regulations on data processing):


XYLS has been active in the field of GDPR and privacy legislation for years. XYLS also works as an external DPO within other organizations, and also has the necessary knowledge of large-scale GDPR projects.

  • The (external) DPO must have knowledge of the data processing carried out by the organization:


XYLS has an outlined audit process which would make it possible to become knowledgeable of the companies working structure within a short period of time.

  • Knowledge of information security and IT must be present:


XYLS obtained ISO 27001 certificates (for an information security management system, for iGaming companies). Read this case for example.

  • The DPO must have knowledge of the organization and the sector in which it operates:


XYLS is a niche company within the iGaming sector, with a broad focus on both the GDPR and gambling legislation. Being a Dutch company, XYLS speaks the right language to communicate with the relevant authorities, representing the organization (which is by law expected of a DPO).

  • A DPO must have skills to develop a culture of (proactive) data protection at the organization:


XYLS has outlined processes for auditing, assisting and advising iGaming companies as DPO. Also, there are training programs in place for the company.

Other benefits: working with XYLS as DPO is considered low threshold, cost efficient and effective. With a great team of motivated GDPR consultants, XYLS would be capable of providing low and high capacity needs.

How does it work?

XYLS will start with auditing the GDPR processes withing your organization. These audits will make it easier for us to get a grip on our new role. Of course, we will provide you with a risk assessment where we will also provide points of action, and our advisement on how to tackle this. We can always assist you in operational work, such as setting up relevant (and necessary) documentation. Interested? Reach out by emailing info@xyls.nl!