The EGBA publishes code of conduct on data protection in online gambling

A code of conduct is a voluntary accountability tool, prepared by associations or bodies, enabling controllers or processors within their sectors to demonstrate compliance with the GDPR. It comes with assurance from the relevant national Data Protection Authority (DPA) that the code and its monitoring are appropriate (and, where a draft code of conduct relates to processing activities in several Member States, it must be subject to an Opinion from the European Data Protection Board (EDPB), and other national DPAs may also review the draft code).

Examples of code drafters may include: an association/consortium of associations or other bodies representing categories of controllers or processors; sectoral organisations; trade or representative associations; academic associations; or interest groups.

If it receives EU-approval, the EGBA Code would be applicable in all EU/EEA countries. It would apply to all EGBA members and be open for signature by other online gambling companies who are licensed in these countries. In respect of this, the UK's Information Commissioner's Office (ICO) has previously noted that, while signing up to a code of conduct is voluntary, "if there is an approved code of conduct, relevant to your processing, you should consider signing up".

The EGBA Code covers all types of processing of the personal data of customers in the online gambling sector, but not the processing of personal data in the context of: (i) the company-employee relationship; or (ii) offline activities, for example, in bricks and mortar gambling establishments.

For the purposes of Article 40 GDPR, the EGBA Code is a draft code, and must go through a review process before becoming an approved code of conduct for GDPR purposes. As the first stage of the approval process, the EGBA Code has been submitted to the Maltese DPA - the Office of the Information and Data Protection Commissioner (IDPC) - for approval. It is possible that other national DPAs may opt to become involved in the review process, as co-reviewers alongside the IDPC. If approved, the IDPC will submit the draft EGBA Code to the EDPB for its Opinion on whether the draft code complies with the GDPR. The EGBA estimates that this process may take 18-24 months. Until that approval process is finished, it is important to note that the EGBA Code does not have formal status.

Given that this is one of the first times that a specific industry sector has sought approval for a GDPR code of conduct, it will of course be interesting to see the extent of any comments and feedback which emerge from the review process. It also remains to be seen whether any other national DPAs opt to become involved in the review process alongside the IDPC. The UK's ICO may have been interested in contributing to this process, given previous dialogue between the Gambling Commission and the ICO regarding data protection issues within the sector. However, the rapidly approaching end to the Brexit transition period may limit the ICO's involvement.

The online gambling sector presents some unique data protection issues upon which there has been little guidance to date. For example:

• how companies should establish player accounts for “VIP” customers in a way which respects privacy and the use of personal data;
• how companies should balance a customer's privacy and data protection rights against the need to protect them from problem gambling; and
• appropriate measures to prevent fraud and ensure data is used to comply with applicable laws.

Through the use of case studies (see pages 44-48), summaries and examples of good practices, the EGBA Code addresses these specific features of the online gambling sector, providing companies with clarity on areas where practical guidance regarding GDPR implementation is needed, as well as ensuring that customers are reassured that their personal data is used appropriately.

To take one of the above examples, when setting up a VIP scheme for loyal players, the EGBA Code notes that a gambling operator should consider four specific issues:

1. Profiling: Where the operator is undertaking profiling to identify those that may be suitable for any VIP scheme, it should consider its legal basis for processing carefully. The EGBA Code notes that an operator will likely want to rely on legitimate interests as its lawful basis for such profiling. If doing so, the operator must carry out a legitimate interests impact assessment to assess the balance between its business interests in setting up the scheme and selecting VIPs, and the privacy rights of such players.
2. Special Category Data and Proportionality: Where VIPs are allocated dedicated account managers, those account managers will need to receive appropriate training to ensure that, if processing any additional personal data which may be categorised as sensitive (e.g. relating to ethnicity or other such data), particular care is taken and that there is a legal basis to do so.
3. Security: In line with the above, if significant additional information is being provided by a VIP, more robust access controls may need to be put in place to limit the account managers and individuals who have access to additional data held about the player.
4. Data Protection Assessment (DPIA): Again,  given the scope of personal data processing and the possible processing of special category data, a risk assessment may be required for a VIP scheme and, where indicated, a DPIA.

Complying with an approved code of conduct should not only help gambling operators achieve better protection compliance, but also demonstrates to a DPA, and to customers, that those operators are accountable and transparent in accordance with GDPR. The EGBA intends to provide its members who comply with the Code with a unique membership number which can be put on a website (and elsewhere) to demonstrate to others that they meet its requirements. 

Compliance with an approved code may be monitored by an independent third party accredited by the IDPC, and should a member organisation fail to meet the requirements of the code (once approved), membership could be suspended or revoked by that monitoring body and notified to the IDPC. If the failure to comply were to constitute an infringement of the GDPR, the IDPC could then decide to take enforcement action.