On July 12, 2018, a web conference on GDPR took place. At this event, a representative of Slotegrator, a leading lawyer of this company, spoke about the regulation itself, its nuances, as well as about the countries where it will be applied. He also told about. how this innovation will affect the gambling business in general.
Content:
- General Provisions
- Subjectivity of the regulation
- Countries covered by the GDPR
- Data protection under the new regulation: application problems
- EU, GDPR: what are the chances of engagement with non-EU countries
- Non-compliance with GDPR principles: what it entails?
- Who controls the operators and where to complain to the players?
- GDPR Compliance Tips
Regulations (GDPR). defining the data protection procedure (its general provisions) entered into force on 25 05. Of 2018. The regulation is in force on the territory of the European Union and is intended to streamline, regulate the duties, as well as the rights of the parties working in the gaming industry or using its services in the processing of their personal data.
Simply put, those organizations that in one way or another use user data, collect it or process it, are obliged in their actions to be guided by the aforementioned regulation (GDPR).
Personal data means all information related to the client:
· his name;
· Postal or email address;
Transfer history
etc.
GDPR scope – individuals as well as legal entities.
Subjectivity of the regulation
It is divided into two subjects (conventionally):
· “Controller” – independent collection and processing of personal information;
· “Processor” – data processing.
The first, after collection, is given the opportunity and the right to transfer the information received to a third party, in particular, to the “Processors”, who, after processing, store it in their database. This action is performed on behalf of the controller.
Countries covered by the GDPR
First of all, the regulation applies in Europe. It applies to those companies that have EU licenses. In this case, the citizenship of the client does not matter. The data of a citizen of any country, it does not matter whether he is from Russia or, for example, from China, is processed under general conditions in accordance with the established regulations.
Used by the GDPR and by foreign companies that process data of EU citizens and those who live on its territory, but are not EU citizens.
Example: a company located in Russia has an online casino that is used by EU citizens. In this case, the requirements of the GDPR apply to her too. The data processing of the European client of this company is carried out in accordance with the provisions of the regulation.
Data protection under the new regulation: application problems
GDPR applies on the territory of the European Union, as well as beyond. However, the EU legislation is limited only to Europe, it does not apply to other countries. This is the main problem of regulations.
For example, to require the execution of GDPR provisions from the Russian company located in Russia, the EU authorities are not entitled, since Europe’s legislation in the Russian Federation does not work. But in case of identified disorders, they can take the following steps:
· Block the violator of the requirements of GDPR;
· Wash its assets.
The latter is only possible if the online casino assets are located in the EU. Conducted to withdraw by the authorities of the country in which they are posted.
Lawyers note that outside the EU to introduce this law will be very difficult.
The representative of Slotegrator (expert) noted that for the implementation of the GDPR, its effectiveness and the integration of the regulation outside the EU, it is possible for the EU to conclude international treaties. This refers to countries that are not part of the EU. He believes that of such countries, the United States will be the first to sign such an agreement. This would make it possible to apply the regulation to all American companies that process personal information of customers.
However, today there are no such international treaties (according to the expert).
EU, GDPR: what are the chances of engagement with non-EU countries
According to lawyers, there is no chance of cooperation between countries on the GDPR adopted in the EU, or they are minimal. Difficulties and frictions are bound to arise between states. And what they will be and what they will result in (after signing the regulations), it is difficult to guess in advance. Therefore, preventive measures cannot be taken.
The authorities of the European Union, states that are not part of it, cannot coerce to cooperate within the framework of the EU GDPR. They can only agree with them on cooperation. But whether such large players as China or the USA, Russia will agree to the terms of the European regulation is unknown, since they are also developing and implementing new rules on data protection in the gambling business.
The main goal of the new law is simple and obvious. The EU needs one way or another to force major players such as Microsoft (for example) to comply with the requirements for the processing of personal data. And it is not known whether non-EU states will agree to enforce order on their companies, especially within the framework of the EU regulations.
Non-compliance with GDPR principles: what it entails?
There is no exact answer to this question. At least this is what Slotegrator’s legal department thinks. When processing personal information, it is required to comply with obligations, requirements, as well as many new rules of the regulation. Violations are investigated and sanctions are imposed on the person who violated them.
When processing, one has to take into account the provisions of the GDPR, which allow it to be carried out only with the consent of the client (personal) or in special cases prescribed in the regulations. The client’s consent is not required when information is processed:
· In order to comply with legal obligations (and not all, but only a certain part of them);
To ensure the fulfillment of the terms of the contract, which arises from an agreement concluded with a certain person for the processing of his personal data.
For example, there is an agreement between the player and the operator stating that. that the winnings are sent to the client’s bank account. In this case, his consent is not required. Neither the processing nor the storage of his personal information.
Processing is also required when it is necessary to protect the legitimate interests of the player. An agreement is not needed when the client has any obligations or legitimate reasons for storing his information and processing it. But in this case, there must be a legal justification for such actions.
An online casino employee (operators) is not entitled to violate the GDPR regulation. To do this, in their activities, they have to take into account some conditions of its use, namely:
1. The most important thing. Client (player) providing their data to the organization. it is necessary to notify (first of all) about his rights. Then, about how the processing is carried out, about the purpose of it, how long his personal information is kept by the controller.
2. Every company must take steps to ensure that processing is compliant with the principles and requirements of the GDPR.
3. Measures should be taken to ensure that the information is securely stored by the trusted organization. Data must be protected from theft, loss, disclosure.
Actually, these are the basic principles of the GDPR. As well as the measures that must be taken by any gaming company in order to ensure safety (in accordance with the principles of the regulations).
Interesting Facts
In connection with the above, the following should be noted:
· The correctness and reliability of the data provided (the basis of the regulation);
· Their owner must know everything about the processing of his personal information;
· Information is processed only for the performance of a specific task, in the amount necessary for this, until the task is completed;
· Accuracy and relevance of processing;
Updating the database when the provided information changes.
Who controls the operators and where to complain to the players?
There is no single body that manages and monitors the implementation of the regulation in the EU. Each country has its own. He exercises control, as well as monitors and manages the work of national operators.
Any player can complain about the operator. But the submitted complaints are considered at the regional level, i.e. e. in each country separately.
For improper execution or non-compliance with the regulations by the operator (gambling establishment), a fine is provided. Size – 20 million euros or 4% of the proceeds for the year preceding the violation. The fine is levied to the maximum, therefore, when imposing a punishment, it is taken into account which of these amounts will be greater. However, the mention of such a penalty does not mean that it will be applied to every violator.
The right of recovery is granted to every country in Europe. It is their national authorities that will determine:
• is there a violation;
· Its duration and severity of the act;
Based on the above, the amount of the fine is determined (in each case separately).
GDPR Compliance Tips
Concluding the description of the GDPR regulation, it is worth giving a few recommendations to the person who decides to use it.
1. Analyze the data provided by the player. Divide them into categories: requiring consent and not requiring it.
2. Minimize information. Less data means less responsibility.
3. Set a separate link for the client’s consent.
4. Data security both during storage and during processing must be one hundred percent.
5. Additional security measures are needed. Introduced at the discretion of the operator.
6. The rights of clients must be spelled out in an accessible language, specified and communicated to each player.
It happens that an organization stores its data on third-party servers (of another operator). In this case, it automatically becomes a member of the regulations and. therefore bears full responsibility for the processing and storage.
This circumstance must be prescribed without fail with all interested parties, for example, in contracts with payment systems.
For those who are interested, we inform you that the webinar, which Login Casino is holding together with Slotegrator, will take place on August 21. Theme – virtual sports. Beginning – 19 hours 00 minutes Moscow time.
Who wants to know why successful operators are betting on this gaming, join. Learn a lot of new and interesting.