72
// PUBLIC GAMING INTERNATIONAL // January/February 2016
States independently from any national law. That is to say that
Member States and natural and legal persons have the obliga-
tion to comply with the letter of the Regulation as soon as it
comes into force. That is already a significant modification for
the Member States of the EU and the market.
The future General Data Protection Regulation (“GDPR”)
sets multiple obligations upon lottery operators and provides
enhanced rights to citizens. Lotteries should already prepare
their compliance with the prospective GDPR. The GDPR must
yet receive the final vote from the European Parliament and the
Council of the EU, but a final compromise agreement has been
reached between all EU legislative institutions on 15 December
2015. The text is moreover not likely to suffer from any amend-
ments in the coming weeks.
We outline in the next paragraphs of this text the (new) rights
that citizens are entitled to, the main obligations impacting lot-
teries and other gambling operators, and the steps required for
lotteries to meet those new obligations.
First, we start with the new rights granted to consumers. One
of the new rights, coming from the case law of the CJEU
5
, is
the “right to be forgotten.” This is the data subject’s right to
request the data erasure to either the controller and/or the third
party to whom the data have been disclosed in case, for exam-
ple, data are no longer necessary for the processing purpose for
which they were collected; data have not been duly processed;
there is a decision or judgment ordering the data erasure by a
court or a regulatory authority in the EU; or the data subject
withdraws its consent. A second addition is the right to “data
portability.” This grants to the data subject the right to receive
an electronic copy of the data undergoing the processing in a
commonly used format and that allows further use of the data
(by e.g. another controller or processor). Additionally, data
subjects benefit from the following new rights: right to have
an electronic and intelligible copy of the data transmitted and
intelligible information on whether their data are processed,
the period during which they will be stored, whether they are
transferred to a third party, the details of the data protection
supervisory authority to lodge possible complaints and the
rights to request the erasure or modification of the data trans-
ferred; right to object to the processing of the data in particular
situations, such as objection to the processing of personal data
for marketing purposes; the right to lodge a complaint with the
national supervisory authority; and the right to initiate pro-
ceedings against the controller and/or the processor of the data,
either before the Courts of the Member State of establishment
of the controller or the place of residence of the data subject.
We now turn to the obligations that must be met by com-
panies acting as data controllers or processors. The most sig-
nificant principles applicable to the processing of personal data
lotteries are subject to under the future GDPR are outlined in
the subsequent paragraphs of this article.
Lottery and gambling operators (that qualify as data “con-
trollers” under the GDPR) are allowed to process data if at least
one of the following situations applies (among other things): (i)
controllers have received the data subject’s consent. The final
text of the GDPR now requires this consent to be unambigu-
ous (and explicit in case of sensitive data); (ii) the processing is
necessary for performing a contract of which the data subject
is a party (which is most likely to be the case especially with
regard to online gambling activities); (iii) processing is required
to follow legally-binding rules under national law to which the
controller is subject (and typically applicable to lottery and
gambling operators since they are usually subject to specific na-
tional legislation requirements in fields such as player accounts
and customer due diligence). The burden of proof relating to
this consent must in any case be borne by the controller/pro-
cessor. Moreover, should lotteries or gambling operators receive
the data subject’s consent in a written statement concerning
other issues/aspects as well, then lotteries must be able to dem-
onstrate that the consent given for the processing of data is
clearly identifiable and distinguishable from the statements ap-
plicable to the other concerns. To illustrate this obligation, we
can put forward that, taking account of the fact lottery opera-
tors active in the EU are in principle, and especially with regard
to their online activities, subject to national legal obligations
such as setting up player accounts or checking players’ identity
and, in particular, given that the 4th Anti-Money Laundering
Directive
6
now obliges all gambling operators to conduct (un-
der certain conditions) customer due diligence (entailing, espe-
cially, the collection of their customers’ personal data and the
effective beneficial owner’s identity) lotteries, as well as other
gambling operators, will have to restrict the processing to the
extent necessary for the purpose for which the data has been
gathered (e.g. should data be provided for AML purpose, such
data may not be used for commercial purposes - unless other-
wise approved by the data subject).
5 See C.J.E.U., Google Spain, C-131/12, 13 May 2014.
6 Directive (EU) 2015/849 of the European Parliament and of the Council of
20 May 2015 on the prevention of the use of the financial system for the
purposes of money laundering or terrorist financing, amending Regula-
tion (EU) No 648/2012 of the European Parliament and of the Council,
and repealing Directive 2005/60/EC of the European Parliament and of the
Council and Commission Directive 2006/70/EC