Dr Emma Grech LL.D. (Melit.)

The General Data Protection Regulation (the GDPR”)(1) is set to become  enforceable  on  25 May 2018. It requires businesses to carry out an entire reassessment of their data processing architecture. Business-to-consumer (B2C) remote gaming operators in particular have, in view of their trans-border, player-transacting nature, been  tasked  with an  arduous compliance project in advance of the now imminent deadline. While, generally speaking, in the same  compliance boat as other online  businesses, remote gambling  companies  – navigating a web of heterogeneous national gambling law rulebooks across the EU Member States, as well as operating  in strong reliance of the personal data they collect – face an array of unique challenges in the face of the GDPR.



It was in 1995 – 23 years ago – that the EU welcomed the Data Protection Directive (the “DPD”)(2). The  DPD  has borne  witness to countless  technological  advancements, many of which, in some way or another, implicate and, or impact, personal data. In the meantime, the Internet itself  –  an  aggressive  data-sharing  engine  –  has  become modernity’s  most workable  medium, replacing the brick-and-mortar. The cloud, artificial intelligence, as well as data analytics are hyper-connecting  companies and people across the globe. In full realization that the 1995 rules were not reflective of what had effectively become today’s ‘e- information society’, the text for the DPD’s directly applicable successor – the GDPR – was finally approved in 2015.


The  GDPR  builds  on  the  DPD(3), and  seeks  to  address  many  of  the  DPD’s  limitations.  Set against the backdrop of a data-driven world, the GDPR places a newfound emphasis on accountability, compelling businesses, generally, to maintain an audit trail that essentially records how they collect the personal data, what they do with such data, and for how long they retain that data. Inspiring accountability  are the steep fines for privacy infringements which  entities  processing  data  now  face;  that  is  a  maximum  of  20 million Euro or four percent of the relevant entity’s annual global turnover, whichever is greater.

Paying homage to the borderless online era, the GDPR has also widened and clarified the DPD’s territorial scope. In general terms, it will apply to an entity processing the personal data of data subjects residing in the EU, whether or not that entity is situated in the EU. On a related note, the transfer of data to third countries under the GDPR – similarly to the DPD – poses challenges. The GDPR maintains that the transfer of personal data outside the EU will only be permitted if certain additional requirements are met: in particular, on the basis of the   individual’s consent; Standard Data Protection Clauses; Codes or Conduct; or an accepted Certification (4).

Where data is collected on the basis of consent (for instance, for the purpose of e-mail marketing), the requirements  for the obtainment and granting of that consent have been tightened: data subject consent must be informed, unambiguous, and provided by way of ‘clear, affirmative  action(5)’. Indeed, the GDPR works to enhance data subject protection. It introduces novel data subject rights; for example, the controversial ‘data portability’, by virtue of which individuals may demand the receipt as well as porting of their personal data across different service providers – the latter of which  may very well be competitors. In addition, the GDPR mandates that entities processing data notify a data privacy breach to the relevant  supervisory authority  in writing, without undue delay, and not later than 72 hours after the discovery of such breach.

The GDPR has, without a doubt, become user-centric.


While the GDPR will naturally apply across all organisations that process personal data and fall within its remit, the online gambling industry – as mentioned further above – brings with it sector-specific characteristics that merit focused attention.

3.1         Case-by-case

The iGaming industry is wrought with diversity. Smaller B2C companies may be able to by- pass some of the GDPR’s requirements.  An operator employing less than 250 persons will not be required to maintain such detailed records unless the relevant processing poses a risk to  the  rights  and  freedoms  of  data  subjects,  the  processing  is  not occasional,  or  the processing includes certain categories of data. Further, those entities that provide business- to-business (B2B) services may find themselves largely unaffected by the GDPR in view of the fact that they will almost certainly not be processing personal data on a large-scale.

There is, therefore, no such thing as a standard approach to the GDPR in the online gambling space. The larger B2C entities in particular will need to look inwards to assess the extent of the impact the GDPR is to have on their activities. Naturally, as the staple business of gaming operators comprises the processing of player data – whether at onboarding stage, the active play stage, and, or via the monitoring of player conduct for the purpose of augmenting or personalising  the customer experience  – preparation  is vital. In this regard, an important step for operators, as part of their data mapping exercise, would be to formulate a personal data inventory. Other than serving to form part of the now crucial compliance  audit trail, this would, going forward, assist operators in their decision-making  on matters connected with the GDPR.

3.2         The Data Protection Officer

It is envisaged that the majority of B2C online gaming operators will need to appoint a data protection officer (“DPO”). The GDPR maintains that an entity operating, as its core activity, a  business  which, by  virtue  of  its  nature, scope  and,  or  purpose,  requires regular  and systematic monitoring of data subjects on a large scale, will need to appoint a DPO. The DPO will be responsible  for providing guidance  to the operator  as to its obligations  under the GDPR; monitoring GDPR-compliance; providing the point of contact for players in the case of queries  or  complaints relating  to  data privacy;  and  liaising  with  the  local  supervisory authority,  amongst other things. The DPO must be adequately  qualified and experienced. Notably, the GDPR allows the DPO role to be outsourced.

3.3         Data Portability

Data portability is one of the major concerns facing online gambling operators in the wake of the GDPR. Players divulge a great deal of personal data to operators: including, of course, their basic identification details; playing history; payment transactions; and playing habits. In terms of the GDPR, and generally, a player shall not only have the right to request receipt of such data from the operator in a structured, commonly used and machine-readable format, but   may   also   demand   that   that  data   be   transferred   to   another   operator.  Rather disconcertingly, this means that operators may attempt to target players belonging to other companies by enticing them away with more attractive packages or bonuses.

Data portability will, in simple terms, increase operator expenditure. Apart from having to stealthily dedicate  more resources  to player  retention  methodologies,  operators  will also need  to  find ways and  means  of  executing  the  data  portability  obligation  – or  face  the consequences of not doing so.

3.4         Problem Gambling: and the Right to be Forgotten

Operators will need to be careful about the manner in which they process erasure requests under the GDPR’s right to be forgotten, particularly in view of any applicable self-exclusion or self-barring mechanisms in place under the relevant gambling legislation. In the scenario where an existing self-excluded player demands that all personal data held about him be deleted, it must be borne in mind that the right to be forgotten is not an absolute right. When the  personal data is being  used  to  satisfy a  legal obligation (such as, for instance, ensuring  that  a  self-excluded  player  does  not participate  in  any  games  throughout  the relevant period of self-exclusion), the operator may be required to retain that data.

3.5         Consent

Online gambling operators market exorbitantly, and in different manners. Examples include player profiling, tracking and the use of cookies. Under the GDPR, all of these activities will, in principle, require explicit player consent. Operators and affiliates will, beyond 25 May, not be permitted to implement these marketing strategies vis-à-vis players that have not given their consent in the manner required under the GDPR or, who, having given their consent, later withdrew it. In terms of the GDPR, players must be granted the option to withdraw their consent at any time.

3.6         Affiliates

The GDPR has catapulted the ‘operator-affiliate’ relationship into the limelight. Depending on  whether they  process data  themselves  or  on  an  operators’  behalf,  affiliates  may  be viewed as either data controllers or data processors. It is noteworthy that the DPD does not entertain  a statutory obligation  for processors  to comply  with data protection  rules with respect  to  the  processing  they carry  out  on behalf  of  data  controllers.  Unlike  the DPD, however,  the  GDPR  entertains  a relatively  level  playing  field  for  both  controllers  and processors – resultantly, affiliates that are processors will, under the GDPR, become directly liable  for compliance. Depending  on the circumstances,  players  may  thus  be able  to file claims for privacy breaches against both the gaming operator and, or its affiliates. Moreover, and  due  to the  GDPR’s  extended  territorial  scope, affiliates  situated  outside  the EU  will likewise be affected.

In  order  to  ascertain,  as  far  as  possible,  the  correct  attribution  of  responsibility  among operators and affiliates, operators should ensure that any intermediary agreements entered into with its affiliates – whether these are situated within or outside the EU – expressly lay down  the  requirement  for  compliance  with  the  same gambling,  advertising  and  data protection legislation that binds the operator; and, in addition to this, and where applicable, contain the mandatory processing terms as stipulated in the GDPR (6).


While the personal data of players is not treated as a ‘special category’ of data under the GDPR(7), the gambling sector  has always presented  unethical  connotations  associated  with gambling addiction, spendthrift behavior, and resulting negative repercussions. As a result, a  privacy breach in the realm of online gambling could have dire implications for all parties involved,  inclusive  of damage  to one’s reputation. For data controllers, and other than the risk  to  reputation, the possibility  of  making  undesirable headlines,  and  the resultant potential  loss  in business,  the  implications  of  a privacy  breach are various,  inclusive  – depending on the applicable gambling legislation – of the loss of the online gambling licence itself.

This only means that data controllers operating in the area would do well to pay due regard to the GDPR’s requirements. After all, there’s a good chance that non-compliance will prove costlier than doing it right the first time around.

1 Regulation (EU) 2016/679.
Directive 95/46/EC.
The GDPR does not amend the DPD’s underlying rationale for the protection of personally identifiable data. The core data protection      principles found in the DPD have essentially remained unchanged (Article 6, DPD and Article 5, GDPR). Technically speaking, therefore, businesses that have properly adhered to the DPD’s provisions should not be far off from achieving GDPR-compliant status.
Articles 40-50, GDPR.
Article 4(11), GDPR.
Articles 28-36, GDPR.
Article 9, GDPR.


The information provided herein is not intended to constitute advice of any nature whatsoever. While every effort has been made to ascertain correctness, the author assumes no responsibility for errors, inaccuracies, omissions or any other inconsistencies herein.