GDPR AND ONLINE GAMBLING, AS THE NEW LAW WILL AFFECT ONLINE CASINOS
On May 25 of this year, the GDPR decree came into force on the protection of personal data of citizens residing on the territory of the European Union. What is GDPR and how it affects companies working in the field of online gambling – the experts of Slotegrator understood.
WHAT IS GDPR
The European Union Regulation No. 2016/679 is called ” General Data Protection Regulation, GDPR “, in the translation: “General provisions on data protection”. Of what, in principle, its essence is clear.
The GDPR Regulation, containing 209 pages, includes 173 items in 99 articles. It was developed and adopted by the European Parliament and the Council of the EU in the spring of 2016. The provisions of the GDPR came into force two years later, after the transition period. The purpose of this document is to strengthen the protection and control over the use of personal data of all persons on the territory of the European Union, which includes 28 countries. It also applies to the personal data exported from the EU – to cross-border data transmission.
The GDPR automatically cancels the previous document on the protection of personal data – Directive “Data Protection Directive” No. 95/46 / EC of 1995. Unlike it, the new regulation does not require changes in the legislation of each member state of the EU and is subject to mandatory execution.
THE MAIN PROVISIONS OF THE GDPR
The Regulation of the new law enshrines the following principles for the processing of personal data:
- The principle of legality, justice and transparency. The data must be processed fairly, fairly and transparently with respect to the owner – an individual.
- Principle of target data collection. Data should be collected for specific, clear and legitimate purposes and should not be handled in a manner that is incompatible with these goals.
- The principle of minimization. Data should be collected only to the extent that is minimally necessary for the purposes set.
- The principle of accuracy. The data should be processed in the place where it is necessary, and should be as objective and accurate as possible.
- The principle of limiting data storage. The data should be stored no longer than necessary for the intended purposes.
- Principle of integrity and confidentiality. It is necessary to ensure reliable protection of personal data using appropriate technical and organizational measures.
Personal data is understood as any information identifying a data subject (an individual). These are: name, surname, data of documents, location, online identifier, indicators of physical, religious, gender, economic, cultural, social and other identities, etc.
In addition to the above, the GDPR also identifies the notion of “monitoring the behavior of data subjects”. This includes research of consumer behavior, preferences, etc. Accordingly, these processes also fall under the specified requirements of the new law.
The legality of the processing of personal data is determined by the consent of the citizen to this procedure. He must also understand well for what purposes this information is needed. The requirements for an electronic form to obtain consent to the processing of data in the new draft law have been considerably tightened.
The consent of the owner should be expressed in the form of clear active actions confirming this. For example, fields with an already ticked consent “by default” can now be equated to a violation. After the person has agreed to the processing of their personal data, the company is obliged to demonstrate it to him: to submit an additional notification, to send a message, etc.
Companies are obliged to notify the supervising authorities, and in some cases – the owners of personal data, of any violations of their integrity or confidentiality. This should be done within 72 hours of the discovery of data leakage, hacking, etc., which occurred as a result of hacker attacks or other unlawful acts, as well as in circumstances of a different kind.
The GDPR specifies that the user has the right at any time to withdraw his consent to the processing of personal data. The opportunity to do this should be posted on the site in such a way that a person can easily find it.
Absolutely new in the Resolution is to grant the user the right to transfer his personal data from one site to another – “Right to data portability”. In this case, at the request of the client, companies are obliged to transfer an electronic copy of his personal data to another site free of charge.
Also, the GDPR provides for the right to forget “Right to erasure” or “Right to be forgotten”. It allows you to delete your personal data if the person is against their transfer to third parties.
In addition, Europeans were able to request any information regarding the processing of their data: the place, purpose, which third parties have access to them, the processing period, the source of receipt, etc. The citizen can also make adjustments to his data if there are any inaccuracies .
RESPONSIBILITY FOR THE VIOLATION OF THE GDPR
The Supervisory and Supervisory Authority was appointed by the European Data Protection Board (EDPB), established in accordance with the Regulation of the GDPR.
For serious failure to comply with the requirements of the GDPR, an entrepreneur or an organization will be fined up to 20 million euros or up to 4% of the total annual turnover for the previous fiscal year – depending on which of these amounts is greater. And for minor violations the fine will be up to 10 million euros or 2% of the total annual turnover.
WHO IS THE GDPR
The GDPR identifies two types of entities involved in the processing of personal data: the “controller” and the “processor”.
- “Controller” is an individual or organization that determines the purposes and means of collecting and processing personal data.
- “Handler” is an individual or an organization that collects and processes personal data on behalf of or on behalf of the controller.
The controlling company is given a greater responsibility than the processor, since the latter is simply the executor.
Thus, the first category of companies covered by the GDPR Regulation is both European and foreign businesses engaged in activities related to the supply of goods or services to EU residents. And if for the implementation of this activity they need the collection and processing of personal data of customers.
The second category of companies are those who monitor the behavioral characteristics and preferences of EU residents.
HOW GDPR WILL BE APPLIED IN THE TERRITORY OF THE CIS
In the CIS under the influence of the GDPR falls a large number of companies. Starting from banks with branches in Europe (for example, Russian VTB and Sberbank), to Internet companies that use simple advertising cookies to monitor European users.
Betting and gambling sites, provided services are provided to EU residents, must also adhere to the new rules. Even though the operator may not perform any operations directly on the territory of the EU, nor do they have representative offices or contractors in Europe.
Signs that the services of the site are focused on Europeans is that:
- Services are provided in European languages;
- Deposits are accepted in local currencies;
- The site uses national top-level domains of the EU countries (“.de”, “.nl”, “.uk”, etc.).
RECOMMENDATIONS FOR OPERATORS
For those gambling projects that are aimed at European players, it is necessary to appoint a representative in the European Union. The representative must act on behalf of the supervisor or processor, have the right to interact with all EU regulators, including supervisory authorities.
If the company has representative offices, branches or branches in the EU countries, then the representative’s functions can be assigned to them. Also, representatives of European partner companies, for example, developers and providers of game software, can become representatives.
European gambling providers have already sent out alerts to their customers about the availability of personal data in processing. They also indicated to which third parties they are available and what exactly their owner, according to the law, can demand with their data to do.
Experts at Slotegrator advise operators of gambling sites to conduct an inventory of personal data of all players, as well as those systems in which they are processed. Plus, work with third parties if they gain access to this database.
It is also recommended to determine the minimum amount of personal data required, as well as the time during which it is necessary to store these data. In addition, it is necessary to provide procedures for transferring, correcting and deleting data at the owner’s request. Another important point is reporting to the regulator, as well as the appointment of those responsible.
GDPR is a new reality for working in the European market. This document significantly increases the level of protection of personal data both in the EU itself and outside it. For the legal gambling business, the observance of the GDPR Regulation allows the maximum use of opportunities in a single European digital market. In this regard, the European Commission’s control will be evidence of the honesty and law-abidingness of the gambling establishment. What, in its turn, will positively affect the reputation and trust of customers.