XYLS is actively working as Data Protection Officer (DPO) for various iGaming Companies with a Dutch Focus (read one of our business cases here). We are supporting development companies, affiliate companies and operators with our General Data Protection Regulation (GDPR) related services. At XYLS, we have a strong focus on the iGaming industry, where we advise on legislative matters (compliance), strategy and business opportunities. As we are also actively engaged in GDPR related matters, this makes for a great combination for Dutch focused iGaming companies. So, first of all, why is it so important to have a DPO when you’re active in the world of iGaming?
First of all, it is relevant to explain more about the position of a DPO. Article 37 of the GDPR points out, in sub 1 (a – c), situations in which a DPO is necessary:
In sub b and c, it is stated that a DPO is needed when you are regularly and systematically monitoring data subjects ánd if the core activities consist of processing on a large scale. Next to that, special categories (like healthcare information) is named. So when we look at the operations of an online casino for instance, we could conclude that a DPO would be necessary because of the following:
So, having a DPO is something to consider in light of GDPR compliance. Next to that, a DPO is capable of assisting your company, your employees and to answer questions coming from players. The DPO will have a direct line of contact with the Autoriteit Persoonsgegevens (AP), which can prove valuable in certain ‘interpretation related’ questions.
People often actually think that a DPO should always be actively working for the company (as an internal employee. But that’s a wrong assumption. In the Guidelines on Data Protection Officers, the ‘GDPR writers’ (the ‘Working Party on the protection of individuals with regard to the processing of personal data’) inform us that putting an external DPO in place is very much possible because of the existence of clause 37 sub 6 of the GDPR:
“The data protection officer may be a staff member of the controller or processor, or fulfil tasks on the basis of a service contract.”
Furthermore, the Working Party explains that competence of the DPO is very important. So looking at this, it could be concluded that having an external DPO could even be more valuable than having an internal DPO.
Furthermore, the Dutch Autoriteit Persoonsgegevens explains what a DPO should know and be capable of. Below, these points are being explained in light of our competence:
XYLS has been active in the field of GDPR and privacy legislation for years. XYLS also works as an external DPO within other organizations, and also has the necessary knowledge of large-scale GDPR projects.
XYLS has an outlined audit process which would make it possible to become knowledgeable of the companies working structure within a short period of time.
XYLS obtained ISO 27001 certificates (for an information security management system, for iGaming companies). Read this case for example.
XYLS is a niche company within the iGaming sector, with a broad focus on both the GDPR and gambling legislation. Being a Dutch company, XYLS speaks the right language to communicate with the relevant authorities, representing the organization (which is by law expected of a DPO).
XYLS has outlined processes for auditing, assisting and advising iGaming companies as DPO. Also, there are training programs in place for the company.
Other benefits: working with XYLS as DPO is considered low threshold, cost efficient and effective. With a great team of motivated GDPR consultants, XYLS would be capable of providing low and high capacity needs.
XYLS will start with auditing the GDPR processes withing your organization. These audits will make it easier for us to get a grip on our new role. Of course, we will provide you with a risk assessment where we will also provide points of action, and our advisement on how to tackle this. We can always assist you in operational work, such as setting up relevant (and necessary) documentation. Interested? Reach out by emailing firstname.lastname@example.org!