January/February 2016 // PUBLIC GAMING INTERNATIONAL //
73
Lotteries and gambling operators are also subject to the ob-
ligation to process data lawfully, transparently and fairly and
to keep and record data in a form that allows its limited stor-
age (with an exception under specific conditions, longer-period
storage allowed when data are processed for archiving purposes
in the public interest e.g. for historical or statistical purposes),
including the obligation to maintain data up-to-date. Opera-
tors must collect data for strictly limited purposes and perform
a proportionate processing of the data i.e., not processing the
data beyond what is necessary to attain the purpose it has been
gathered for (“data minimization”). Furthermore, data control-
lers will have to carry out the measures necessary for the data
subjects to perform their rights. This includes for instance the
implementation of internal policies, measures and procedures
to comply with the following: providing the data subjects with
information on the processing of their data (see above), replying
to their information requests, informing about the right to lodge
a complaint, the right to erasure, to withdraw their consent, to
make any modification to their data; and finally, notifying the
national supervisory authority and the data subjects of any high
risk breaches that may impact the confidentiality and security of
the data provided. The obligation to keep due documentation
to demonstrate that the processing and gathering of data is/has
been performed in compliance with the GDPR is also part of
the general obligations imposed upon lotteries.
Most of the lotteries and gambling operators are likely to
fall under the obligation to designate a Data Protection Of-
fice (“DPO”) who must be involved in all issues relating to
the protection of personal data. Secondly, lotteries will have to
perform an impact assessment. The aim here is to assess risks
that could arise from personal data processing and that could
impact the data subject’s rights and freedoms (e.g. discrimina-
tion, fraud, financial loss, theft …). This obligation also entails
possible periodic reviews to demonstrate that the processing is
still being performed in due compliance with the data protec-
tion impact assessment. Moreover, lotteries will face the ob-
ligation to obtain the prior authorization or conduct a prior
consultation of either the DPO or, in the absence of a DPO’s
appointment, the supervisory authority before the processing
of the data to ensure the data processing is compliant with the
GDPR and to limit the risks involved when, for example, the
impact assessment shows the processing is likely to give rise
to risks due to the nature, scope and purposes of the process-
ing operations or when the DPO or the supervisory authority
deems it necessary to carry out a prior consultation. Lotter-
ies and gambling operators must also implement all required
measures to guarantee that the processing of the data is secured
and as well, to implement policies and measures (technical and
organizational) to demonstrate that data is processed in com-
pliance with the GDPR’s provisions. This obligation entails
setting up data protection measures by default, i.e. measures
automatically processing the required data and that do not go
further than what is necessary, and data protection measures by
design, i.e. measures created having regard to specific process-
ing features (including the scope, nature and purposes), with
the aim of protecting data subjects’ rights and ensuring a high
level of security given the likelihood that such processing cre-
ates risks and damages to data subjects’ rights and freedoms.
For online gambling operators the application of the new
anti-money laundering rules and the GDPR will most likely
be much harder and have a more important impact on their
business. In the UK, some betting operators did already ex-
press concern about the burden it will create for them. They
have used the data of customers in various, often more aggres-
sive ways, like online direct advertising and monitoring of the
player behavior. The new rules will no longer allow them to do
so in the same manner, which will as such be a benefit for the
average consumers.
Last but not least, the amount of the fines for non-compli-
ance with the GDPR can now reach up to 4% of the controller/
lottery’s global annual turnover.
To sum up what has been outlined above, as from the final
adoption of the GDPR (that is likely to occur in the coming
weeks), all EU Member States and data controllers (hence in-
cluding lotteries) will have two years to carry out all proce-
dures, policies, impact assessments, appointments, to abide by
the rules laid down by the new GDPR. In view of the sanc-
tions lotteries may face in case they are found in breach of the
GDPR and the workload required to ensure a strict compliance
with this new legislative instrument, any loss of time appears to
be very detrimental to lotteries’ business, image and solvency.
While it will also be an issue for lotteries, a reason why the
European Lotteries Association is already paying attention to
it and talking to the authorities in a constructive manner, the
spectre of a 4% of global annual turnover fine is hanging over
the private gambling and betting operators, especially the on-
line operators, who have extensively used their customer data to
enhance their business.
■