The General Data Protection Regulation, which comes into force across the European Union on May 25, does not give UK-licensed gaming operators grounds to neglect their licensing and regulatory obligations, the UK Gambling Commission has warned in a note.
The eight-page statement pulls no punches and leaves operators in no doubt as to what is expected of them as licence holders.
“Some have expressed concerns to the Gambling Commission that GDPR will affect what
actions they can take to tackle issues such as problem gambling, and gambling-associated
crime,” the note reads.
“We take the view that GDPR is not intended to prevent operators from taking steps which
are necessary in the public interest, or are necessary to comply with regulatory requirements under a gambling licence.
“GDPR should not be improperly used as an excuse to avoid taking steps which enable compliance with licence conditions…”
“GDPR should not be improperly used as an excuse to avoid taking steps which enable compliance with licence conditions, promote socially responsible gambling and promote the licensing objectives,” the regulator writes.
The Commission went on to highlight instances in which the licence conditions and regulatory obligations must not be overlooked because of GDPR.
Applicable GDPR rights may not apply “where their exercise conflicts with important regulatory objectives – such as the refusal of service to underage gamblers.”
Right to erasure
“Under GDPR, data subjects may request that their personal data (including data which may be relevant to regulatory compliance) is erased. However, this right is not unrestricted. In particular, such requests are unlikely to be valid if retention of the data is still necessary in relation to a lawful purpose,” the Commission writes.
“Based on our experience of investigations to date, licensees should ensure that data which relates in any way to regulatory compliance should be available for a minimum period of five years after the end of a relationship with a customer.”
The regulator goes on to address specific scenarios that have been the subject of queries received, including anti-money laundering, self-exclusion, suspected illegal activities and social responsibility. The Commission also makes reference to the use of data in direct email marketing campaigns.