GDPR in the gambling business

In the process of gambling, the company collects personal data of players. In this regard, one of the categories of requirements for such projects is related to the processing and protection of this personal data. One of the strictest regulations is European. The main act regulating this process is the GDPR. In this article, you will read about the GDPR requirements for gambling and how to comply with them.


What is GDPR?

GDPR - General data protection regulation. This is an act of the European Union, which entered into force on May 25, 2018. It is considered one of the revolutionary ones in the field of personal data. Some companies have had to adapt to the requirements of this act for a long time. Therefore, if you are just opening a gambling project, it is better to immediately take into account the provisions of the GDPR.

Who is covered by the GDPR?

Territorial scope of the GDPR

Since the GDPR is an act of the European Union, then, first of all, all the criteria are related to the EU, 

In accordance with Art. 3 a gambling project is subject to the GDPR if:

  1. Data processing takes place in the context of the business of an organizational unit in the EU. This legal regulation means that the business has an office in the EU. Registration as a legal entity in the EU is optional. To determine whether there is organizational activity, the courts look at the following criteria: does the company have an account, a mailbox and a representative in the EU.      
  2. The data subject is located in the EU and the processing is related to the offer of goods and services.      

To have this criterion, the user does not need to have the citizenship of one of the EU states, it is enough to simply be in the EU. The goods and services offered do not have to be paid. 

At the same time, it should be obvious that the person who processes personal data is offering goods and services specifically to entities in the EU. Judicial practice has developed the following criteria. The availability of the website, e-mail address and the use of the language of the Member State are not sufficient. More convincing are the use of currency, mentioning users who are in the EU.

One of the most popular jurisdictions for obtaining a gambling license is Malta. This license applies to all EU countries. In order to obtain a license, you must have a registered legal entity in accordance with the laws of Malta. Therefore, you automatically meet the first criterion. Therefore, if you have a Malta gambling license, the GDPR applies to you. About the procedure for obtaining a gaming license in Malta, you can read in our article "Getting the gaming license in Malta."

What relates to personal data under the GDPR

Personal data includes any information that relates to a subject, already identified or which can be identified. 

Thus, personal data includes:

  • Full name
  • Address
  • Phone
  • Passport data
  • Birth information
  • Email
  • Social media accounts
  • Others

What are the requirements for the gambling business under the GDPR

Thus, if you are subject to the GDPR, it is worth checking your business for compliance with the following requirements and identifying risks:

  1. Security by default. This new principle in the regulation implies that you have to take into account the requirements I have for processing of personal data at the stage of design processing.      
  2. User Consent. Such consent can be expressed as part of the user agreement. You can read about how to correctly draw up a user agreement for the gambling business in our other article "Development of documents for gambling projects: Terms, Privacy, Cookie, AML / KYC Policy". Consent to the processing of personal data must be:      
    • Free data
    • Specific
    • Informed
    • Unambiguous. It should be expressed in action, so it is best not to check the box by default for the user.

Risks of violation of GDPR requirements

Prompt notification. If the operator has violated the security of personal data, then he is obliged to notify the subject, i.e., the player himself and the supervisory authorities. The subject should be notified as quickly as possible, and there is a specific deadline for notifying the supervisory authorities - within 72 hours.

A responsibility. For violation of the rules, the company can be fined up to 20 million euros or 4% of the company's annual turnover.

If a gambling platform is not ready for GDPR compliance, it is worth limiting access to your website for EU countries. These technical settings will give you a period to adapt to the requirements of the act.

Thus, when creating a gambling business, one cannot ignore the requirements for the processing of personal data provided for by the GDPR. First, it's worth deciding whether your project is covered by the GDPR. If so, then the inconsistencies should be identified and corrected. Otherwise, the European supervisory authority may be held accountable. Our lawyers at A4 Law Firm will help you draw up documents that comply with the GDPR requirements, as well as check whether the processing of player data complies with the norms of the European act.


Актуальные новости и статьи

Copyright protection for software and computer games is an issue that lawyers often face in connection with the active development of the gaming industry. Computer games are complex objects of intellectual property. Even if the developer registers a trademark and files a patent, some elements can still be used by third parties. The least protected objects include source code, game characters, music, graphics.
Узнать подробнее
Due to the development of cryptocurrencies and the growth of their value, legislators in many countries pay close attention to them and develop appropriate regulation. At the moment, Estonia is one of the most attractive jurisdictions for doing cryptocurrency business.
Узнать подробнее
A marketplace is an online platform designed for buying and selling goods. The marketplace acts as an intermediary between the buyer and seller, providing them with a convenient platform for placing goods and buying them.
Узнать подробнее
With the development of pop culture, the layer of its influence on society increases. At the time of 2021, there is a huge fan base, divided into societies, depending on their favorite work. Accordingly, in order to express their own creative potential, the fan base expresses it in the form of their own interpretation.
Узнать подробнее
Gibraltar is a British Overseas Territory located on the border of Europe and Africa and is an extremely attractive jurisdiction. Gibraltar is currently in the stage of economic growth, attracting a large number of investments from all over the world. Also, this jurisdiction is considered one jurisdiction with a high level of confidentiality and a fairly moderate tax regime. The first step in transferring your assets to Gibraltar is to set up a company. This is quite simple to do compared to other offshore jurisdictions.
Узнать подробнее
In the legislation of the Russian Federation, there is no mandatory requirement for registration of copyright. Copyright arises at the time of creation of the object, therefore, there is no obligation to legally enforce the right. Despite this, attribution disputes are not uncommon for courts, and a deposit procedure exists to avoid lengthy litigation.
Узнать подробнее
In connection with the general transition to online, business owners are increasingly faced with the need to create a website. Online business presentation increases your sales and brand awareness. At the same time, you should take a responsible attitude to the legal registration of relations with the developers of the site, since mistakes in drawing up a contract can lead to extremely negative consequences.
Узнать подробнее
When deciding to block a site, government agencies are required to act in accordance with Federal Law No. 149. This law provides a large number of grounds for blocking any resource. Article 15.1 149-FZ and Decree of the Government of the Russian Federation of October 26, 2012 No. 1101 establish a list of bodies authorized to make a decision on blocking a site, and also introduces a register of sites containing information prohibited in Russia. Any resource for which such a decision has been made is included in this register. Inclusion of a site in such a register means restricting access to it in Russia. Internet providers rely on this registry and, when any site gets there, they suspend access to it.
Узнать подробнее
By pressing the subscribe button I agree to the  Privacy Policy
г.Москва г. Москва, Новоданиловская наб., дом 6, корп. 1, БЦ "Данилов плаза" +7 (499) 841-05-05