Public Gaming Magazine January/February 2016

// PUBLIC GAMING INTERNATIONAL // January/February 2016

States independently from any national law. That is to say that

Member States and natural and legal persons have the obliga-

tion to comply with the letter of the Regulation as soon as it

comes into force. That is already a significant modification for

the Member States of the EU and the market.

The future General Data Protection Regulation (“GDPR”)

sets multiple obligations upon lottery operators and provides

enhanced rights to citizens. Lotteries should already prepare

their compliance with the prospective GDPR. The GDPR must

yet receive the final vote from the European Parliament and the

Council of the EU, but a final compromise agreement has been

reached between all EU legislative institutions on 15 December

2015. The text is moreover not likely to suffer from any amend-

ments in the coming weeks.

We outline in the next paragraphs of this text the (new) rights

that citizens are entitled to, the main obligations impacting lot-

teries and other gambling operators, and the steps required for

lotteries to meet those new obligations.

First, we start with the new rights granted to consumers. One

of the new rights, coming from the case law of the CJEU

, is

the “right to be forgotten.” This is the data subject’s right to

request the data erasure to either the controller and/or the third

party to whom the data have been disclosed in case, for exam-

ple, data are no longer necessary for the processing purpose for

which they were collected; data have not been duly processed;

there is a decision or judgment ordering the data erasure by a

court or a regulatory authority in the EU; or the data subject

withdraws its consent. A second addition is the right to “data

portability.” This grants to the data subject the right to receive

an electronic copy of the data undergoing the processing in a

commonly used format and that allows further use of the data

(by e.g. another controller or processor). Additionally, data

subjects benefit from the following new rights: right to have

an electronic and intelligible copy of the data transmitted and

intelligible information on whether their data are processed,

the period during which they will be stored, whether they are

transferred to a third party, the details of the data protection

supervisory authority to lodge possible complaints and the

rights to request the erasure or modification of the data trans-

ferred; right to object to the processing of the data in particular

situations, such as objection to the processing of personal data

for marketing purposes; the right to lodge a complaint with the

national supervisory authority; and the right to initiate pro-

ceedings against the controller and/or the processor of the data,

either before the Courts of the Member State of establishment

of the controller or the place of residence of the data subject.

We now turn to the obligations that must be met by com-

panies acting as data controllers or processors. The most sig-

nificant principles applicable to the processing of personal data

lotteries are subject to under the future GDPR are outlined in

the subsequent paragraphs of this article.

Lottery and gambling operators (that qualify as data “con-

trollers” under the GDPR) are allowed to process data if at least

one of the following situations applies (among other things): (i)

controllers have received the data subject’s consent. The final

text of the GDPR now requires this consent to be unambigu-

ous (and explicit in case of sensitive data); (ii) the processing is

necessary for performing a contract of which the data subject

is a party (which is most likely to be the case especially with

regard to online gambling activities); (iii) processing is required

to follow legally-binding rules under national law to which the

controller is subject (and typically applicable to lottery and

gambling operators since they are usually subject to specific na-

tional legislation requirements in fields such as player accounts

and customer due diligence). The burden of proof relating to

this consent must in any case be borne by the controller/pro-

cessor. Moreover, should lotteries or gambling operators receive

the data subject’s consent in a written statement concerning

other issues/aspects as well, then lotteries must be able to dem-

onstrate that the consent given for the processing of data is

clearly identifiable and distinguishable from the statements ap-

plicable to the other concerns. To illustrate this obligation, we

can put forward that, taking account of the fact lottery opera-

tors active in the EU are in principle, and especially with regard

to their online activities, subject to national legal obligations

such as setting up player accounts or checking players’ identity

and, in particular, given that the 4th Anti-Money Laundering

Directive

now obliges all gambling operators to conduct (un-

der certain conditions) customer due diligence (entailing, espe-

cially, the collection of their customers’ personal data and the

effective beneficial owner’s identity) lotteries, as well as other

gambling operators, will have to restrict the processing to the

extent necessary for the purpose for which the data has been

gathered (e.g. should data be provided for AML purpose, such

data may not be used for commercial purposes - unless other-

wise approved by the data subject).

5 See C.J.E.U., Google Spain, C-131/12, 13 May 2014.

6 Directive (EU) 2015/849 of the European Parliament and of the Council of

20 May 2015 on the prevention of the use of the financial system for the

purposes of money laundering or terrorist financing, amending Regula-

tion (EU) No 648/2012 of the European Parliament and of the Council,

and repealing Directive 2005/60/EC of the European Parliament and of the

Council and Commission Directive 2006/70/EC