Expert Opinion: GDPR Concept, Focus Areas, and Application in Gambling
Purchasing something on the Internet or becoming a casino customer, users share their personal data with various companies and services. Sometimes they fail to control how and what for this information is used. Therefore, the EU has taken measures for protecting private information of citizens by adopting the GDPR. The article reveals thespecific nature of this regulation, what territories it covers, and the opinion of Saulius Pikturna, Attorney at BetGamesTV, regarding the GDPR.
What Is GDPR?
The General Data Protection Regulation (GDPR) is the EU decree containing the rules of collecting, processing, and storing personal data of European Union citizens. The regulations became effective on May 25, 2018. The document states that personal data means any information used to identify an individual.
The rules distinguish two subjects involved in personal data processing: a controller and a processor.
- Controller is an entrepreneur or a company that determines the method and purpose of information collection and processing.
- Processor is a legal entity, a government institution, or any other body that process private data on behalf of controller.
For example, an organization stores customer personal details on the cloud platform. Its staff uses this platform to solve various tasks. In this case, the cloud service is a processor and the company is a controller. The latter bears the biggest liability, as the processor serves only as a contractor.
“According to the GDPR, companies are allowed to collect only necessary user personal data. They are not allowed to store this information indefinitely. Besides, they are obliged to inform clients of how these details are applied,” the specialist says.
User Rights as Described in GDPR
Following the regulation, users have the right to:
- request conformation of whether their data is processed;
- know how long their private information will be stored;
- know why their data is processed, and with whom their personal data is shared;
- insist on correcting their information;
- receive copies of processed data and transfer them from one controller to another;
- ask companies to erase their personal information (the right to be forgotten);
- withdraw their consent for data processing;
- file a complaint to the supervisory body.
“All users have the right to insist any time on deleting all of their information obtained by the company,” Saulius Pikturna stresses.
Regulation’s Scope of Application: the CIS and Other States
The GDPR affects companies obtaining licenses in one of the EU countries as well as organizations from other states if they provide EU inhabitants with services and goods, or collect their private information by other means. These rules are also referred to processing data of individuals who live within the European Union but do not have the EU passport.
As to Russia, Belarus, Ukraine, and other CIS countries, entrepreneurs aimed at EU citizens and residents have to comply with the GDPR. This list includes various organizations and facilities: banks with subsidiaries in Europe (VTB, Sberbank, and others), gambling venues and organizations engaged in online sales (hotels, airlines), companies applying advertising cookies to monitor users, and other structures.
Controllers and operators that run businesses beyond the EU should appoint their representatives in Europe – Data Protection Officer (DPO). This person is responsible for organization’s compliance with the personal data protection law.
“I believe that the concept and rules of customer data collection, processing, and storage are still different in Russia and the EU.
If people give their consent for private information processing, it does not mean that companies can irresponsibly use it at their own discretion,” Attorney mentions.
GDPR Application in Gambling
The GDPR applies to casinos and betting platforms that have or may have EU clients. For instance, a gambling club is managed by a legal entity from one of the CIS countries. Inhabitants from Belgium visit this casino. With the venue processing private data of Europeans, it is obliged to adhere to the specified regulations.
The law is applicable to gambling clubs that:
- provide services in European languages (English, French, Italian, etc.);
- allow to make deposits in EU local currencies;
- use national top-level domains of the EU countries (de, nl, and others).
If gambling venues have no representative offices in European countries, but their casinos involve EU citizens and residents, they have to obey the GDPR.
“Gambling companies have treated GDPR’s new requirements quite seriously. Initially, they determine whether their measures for protecting customer personal data complied with the new rules. As the result, gambling industry representatives succeeding in adhering to the regulations have gained confidence of their consumers,” Saulius Pikturna notes.
Punishment for Regulation Violation
Each EU Member State has an independent supervisory authority aimed at considering and investigating complaints, as well as applying measures against lawbreakers. The operations are coordinated by the European Data Protection Board.
If controllers or processors violate the GDPR (consciously or inadvertently), they are liable to administrative fines. These penalties amount up to €20 million or up to 4% of the enterprise’s annual turnover for the previous financial year (depending on what sum is bigger).
Moreover, a written warning and inspections are applied to trespassers.
“Government institutions in European countries monitor the GDPR fulfillment. They impose penalties on companies violating the GDPR. Their amount can be different. For example, in 2019, a firm from France was fined €50 million, while a company from Germany was fined €20,000”, the expert explains.
The GDPR adoption is intended to protect personal data of Europeans from illegal use and distribution. It will allow users to control their private information.
Saulius Pikturna will talk about GDPR aspects in detail at RGW 2019.
The event will take place on June 6-7 in Moscow.