EGBA publishes data protection guidelines

The EGBA code is one of the first of its kind.
The EGBA code is one of the first of its kind.

The European Gaming and Betting Association (EGBA) has published a code of conduct on compliance with EU data protection rules.

Belgium.- EGBA has published what it says is one of Europe’s first sector-specific self-regulatory codes on data protection compliance following a consultation with members that began in January.

The code presents guidelines for the sector to comply with the European Union’s General Data Protection Regulation 2016/679. 

Operators must set out a compliance framework covering the new code’s core areas: data mapping, lawful basis analysis, risk assessment, documentation and review, assessment and amendment.

They will be expected to carry out data mapping to audit all data they hold, including customers’ personal data, then undertake analysis to check data processing is lawful, and document its lawful basis.

Operators must also carry out a risk assessment and keep documentation that demonstrates their compliance with the code, including data maps, and a record of processing, and must continue to review and amend their data policy through periodic audits. Evidence of compliance used in audits must be kept for at least three years.

The EGBA added that data must be taken with player consent, for example through tick-boxes, and players must be granted an easy way to withdraw consent.

Data should be stored no longer than necessary and should not be kept after the end of a business relationship with a player unless there is a legal requirement

Players must also be able to request their own data. Operators must train customer service teams to escalate requests and to notify customers of any data breaches within 72 hours.

The code has been submitted to the Maltese Data Protection Authority (MDPA) to ensure it complies with GDPR.

The MDPA, other EU authorities and the European Data Protection Board will review the code in a process that could take up to 24 months. 

EGBA Secretary General, Maarten Haijer, said: “On the 2-year anniversary of GDPR, issues around data protection, privacy and the use of personal data are still a concern for many European citizens.

“That’s why we’re pleased to introduce this new code which demonstrates the online gambling sector’s commitment to protecting the personal data of our 16.5 million customers and supporting the success of the GDPR.

“We’re pleased to be one of Europe’s first industry sectors to introduce a self-regulatory code which supports compliance with GDPR.

“Data, and how it is used, is playing an increasingly important role in how citizens and businesses interact online – and the online gambling sector is no different.

“This code outlines how online gambling companies should ensure their customers understand how their personal data is being used and provides important guidance on how companies should use personal data in their interactions with customers, including how they identify and address problem gambling behaviour in their customers.”

In this article:
Belgium data regulation