EGBA adopts new data protection codex
The European Gaming and Betting Association wants data protection in online Keep improving casinos. Players should be happy. In this context, the EGBA has adopted a new code of conduct on data protection compliance. This is also partly based on the general EU General Data Protection Regulation 2016/679 (GDPR) and is at the same time one of the first self-regulatory measures in the industry that is based on the measures of the GDPR.
More protection for European citizens and gamers
Data protection has not only come to the fore with the new EU General Data Protection Regulation. This is exactly what theEuropean Gaming and Betting Association (EGBA) has now used as the basis for a new data protection code. As it is said, this should ensure thatall EU regulations are respected in online gambling. EGBA Secretary General Maarten Haijer explained that the issues of data protection, the use of personal data and the protection of privacy are of increasing importance to European players. For this reason, the Code has now been published on the occasion of the two-year anniversary of the General Data Protection Regulation. All in all, according to Haijer, thearound 16.5 million gambling customers in Europe could be better protected through the new code.
This is both gratifying and remarkable. With this code, the European gaming industry is one of the firstto introduce a self-regulatory measure that adheres to the requirements of the General Data Protection Regulation. The EGBA worked out the corresponding measures from the Code together with its members. As early as January of this year, numerous areas were provided with various regulations. For example, members must always be transparent, lawful and fair when collecting user data. In addition, the documentation and mapping of the data must be guaranteed at all times.
In addition to regulations, also recommendations
Mapping means that the companies check and control the data on the players. However, the EGBA does not provide precise specifications for the mapping. It is much more up to the members themselves to create suitable concepts and measures to comply with the requirements.In addition to the mandatory measures, the EGBA also offers a number of options in the new codex and makes recommendations to the companies. For example, the association recommends always citing the sources of personal data. It should also be precisely recorded why the data was used for what purpose and where the data is stored. In the further course, the companies should then continuously analyze whether the data processing is being carried out lawfully.
Once the members have completed the analysis of all aspects of data protection, a so-called risk assessment must be carried out. Possible other security gaps or breaches of the data protection regulations are listed here and of course corrected. According to the EGBA, all members are also obliged tocontinuously document that the specifications of the new code are being observed. This is not only done by the companies themselves, but should also be ensured by audits by external companies. The proof of conformity used for such a test must then be kept for at least three years.
Players should be able to revoke consent
The challenges that await the industry with the new code go much further. The companies undertake tobefore collecting user data, first of all obtain appropriate permission. This must be actively granted by the players. For example, by ticking a box on the website. At regular intervals, companies should also give their customers the opportunity to withdraw their consent. Another specification relating to the data records is the area of use. The collected data may therefore only be used where it was actually collected. For example, the companies are not allowed to use any security-related information or data to create personalized advertising offers for the players.In addition, the players should be informed about all relevant laws. At the same time, the EGBA requires that the reasons for the collection of various data are made clear to the players.
If a player deletes his account with one of the providers, according to the EGBA, the companies should no longer be allowed to keep the data. An exception only exists if the legal obligations require a longer storage period. In any case, the EGBA stated that the customer's player data should not be kept longer than possible. However, companies are also permitted to withhold information about the collection of the data. Here, too, there must be a special case, such as an ongoing investigation. The staff of gambling companies also have to adapt to innovations.Employees should undergo special training so that customer requests can be better processed. In the future, players should be able to request their own data if they want to. If the gambling companies lose a user's data or if it is stolen by hackers, for example, the support teams must inform the customer within 72 hours.
MGA from Malta still has to give the green light
When exactly the code of the EGBA will be implemented in practice is still open. What is certain is that this should happen as soon as possible. In order to really be able to clear all possible hurdles,the Code was submitted by the EGBA to the Maltese Lotteries and Gaming Authority. This is considered the most influential and best gambling authority in Europe. The MGA will now check whether the code complies with the requirements of the GDPR in all points. If this is the case, the authority will give its approval and the requirements of the code could be put into practice.