Q&A: EGBA’s Code of Conduct on data protection in online gambling

10.06.2020

On 10 June 2020, EGBA published a draft Code of Conduct on data protection in online gambling. The Code of Conduct (referred to as the “Code”) introduces essential sector-specific rules and best practices to ensure the highest standards in data protection and GDPR compliance for the online gambling sector. The Code goes beyond the requirements of the GDPR and introduces dedicates rules for online gambling companies aimed at, for example, enhancing data portability rights, transparency and preventing and/or mitigating breaches of personal data. Through the use of case studies, summaries and examples of good practices, the Code addresses specific features of the online gambling sector, providing companies with clarity on areas where interpretation on GDPR implementation is needed (for example, regarding the use of personal data to identify and address problem gambling behaviour), as well as ensuring that customers are reassured that their personal data is used appropriately. Below are some questions and answers about the Code.

Whose initiative is the Code?

The Code is an initiative of the European Gaming and Betting Association (‘EGBA’). EGBA is the Brussels-based trade association representing the leading online gaming and betting operators established, licensed and regulated within the EU and UK. These are bet365, Betsson Group, GVC Holdings Plc, Kindred Group Plc, and William Hill Plc. EGBA members accounted for 25% of Europe’s online gambling revenue in 2018 and together have more than 16.5 million customers in Europe.

What is the relevant legal basis?

The Code has been prepared in accordance with Article 40, of the EU General Data Protection Regulation 2016/679, which encourages the use of sectoral codes of conduct to support the proper application of the GDPR. Adhering to an approved sectoral code is a factor in demonstrating a company’s compliance with the GDPR and is taken into account by the relevant national Data Protection Authority (‘DPA’) when deciding on enforcement actions for breaching the GDPR.

What is the objective of the Code?

The Code is introduced as part of EGBA’s wider efforts to drive industry standards and aims to achieve three objectives: to provide guidance to online gambling companies on how to apply the GDPR; to foster trust with customers and improve transparency on how their data is used; and to assist online gambling companies in achieving a harmonised application of the GDPR, taking into account the specificity of the gambling sector. The Code is intended to complement and reinforce the online gambling sector’s compliance with the GDPR provisions and is one of the first ever self-regulatory initiatives for any industry’s compliance with GDPR.

What is the scope of the Code?

Once approved, the Code will be applicable in all EU/EEA countries. The Code will apply to all EGBA members and is open for signature by other online gambling companies who are licensed in these countries. The Code covers all types of processing of the personal data of customers in the online gambling sector but not the processing of personal data in the context of: (i) the company-employee relationship; or (ii) offline activities, for example, in bricks and mortar betting or gambling establishments.

How was the Code developed?

A stakeholder consultation was carried out by EGBA for four weeks, between the 28 January – 25 February 2020 to receive the feedback of other industry stakeholders. The consultation was published on the EGBA’s website and distributed to stakeholders via social media and EGBA’s monthly newsletter, which is sent to gambling companies, national industry associations, gambling regulators and other industry stakeholders. All interested stakeholders were invited to submit comments to the draft code and the comments received have been taken into account during the review of the code. Beside the public consultation, the data protection officers of EGBA member companies have participated actively in the drafting of the code and reviewed multiple times its content throughout the drafting process.

What type of measures are proposed in the Code?

The Code introduces essential rules to enhance data portability rights – for example to allow customers to transfer their personal data (player account registration, transactions history, marketing preferences, etc) from company to company in an easier and secure way; essential transparency standards and the requirement for online gambling companies to introduce plans to prevent and/or mitigate breaches of personal data. The Code also introduces best practice guidance on how online gambling companies should use personal data when establishing VIPs accounts, balancing privacy concerns against the duty to address problem gambling, in direct marketing activities, and in detecting fraud.

How will the Code be applied?

The Code will apply to all signatory online gambling companies. EGBA endeavours to ensure that compliance with the provisions of this Code, by its signatories, will be monitored regularly in a transparent and accountable manner by an independent third-party monitoring body.

How will the Code be approved?

The Code is a transnational code, as it covers processing of data in most EU countries, and has been submitted to the Maltese DPA – the Office of the Information and Data Protection Commissioner (‘IDPC’) for formal approval.[1] The process for its approval involves different national DPAs: on a voluntary basis, a maximum of two other DPAs will co-review and assist the IDPC with the substantive assessment of whether the Code adheres to the GDPR. After this assessment is completed, the IDPC will decide to refuse the Code or approve it. If approved, the IDPC will submit the Code to the European Data Protection Board (‘EDPB’) for their opinion on whether the draft code complies with the GDPR. The EDPB will then communicate this opinion to the IDPC. If the EDPB’s opinion endorses the Code’s compliance with GDPR, the IDPC will formally approve the Code and communicate this decision to all the other national DPAs in the EU. If the EDPB opinion proposes amendments to the decision of approval, the IDPC will decide, and communicate to the EDPB, as to whether it will maintain or amend its draft decision on approving the code.

Why was the DPA in Malta chosen?

EGBA chose the IDPC as the Competent Supervisory Authority for the Code, following the factors drafted by the European Data Protection Board in their Guidelines on Codes of Conduct – as Malta is both the location of the largest density of the processing activity, or sector, and the country where relevant initiatives have already been developed by the supervisory authority in this specific field.

How long does the Code apply?

When the Code is formally approved, it will become legally binding for its signatories. The Code has unlimited duration and is subject to updates of its terms. The Code is a living document and is intended to be further developed over time (if practical issues arise with the effective implementation of the GDPR and in view of further guidelines from competent data protection authorities).

How will the success of the Code be assessed?

The Code will be monitored by an independent third-party monitoring body which will check the compliance of the signatories with the provisions of the Code.

[1] As of 01 February 2024, EGBA is currently working to update its draft GDPR code, to incorporate recent technological and legal developments, and, once this revision process is complete, will resubmit a revised code to the Maltese Data Protection Authority for its approval.

Key documents:

Have further questions?

Please contact us.