Media Centre

EGBA Published Code of Conduct on Data Protection in Online Gambling

17 June 2020

Technology & Regulation in the Spotlight

The European Gaming and Betting Association (“EGBA“) published a code of conduct for online gambling operators on data protection (“Code“) in accordance with Article 40 of the General Data Protection Regulation (“GDPR”), which encourages the adoption of sectoral codes of conduct. The Code establishes a dedicated sector-specific rules for online gambling and best practices intended to complement and reinforce compliance with the GDPR.

The Code requires gambling operators to establish a compliance framework that will support adherence to the Code. The framework should cover the following core activities: (i) data mapping; (ii) lawful basis analysis; (iii) risk assessment; (iv) documentation; and (v) review assessment and amendment, providing detailed review of each requirement including practical examples for the operators. Under the code, operators will be required to document their data mapping, record of processing, and policies regarding the governance of processing activities and involvement of the Data Protection Office. Furthermore, the Code requires operators to retain all evidence of compliance for a minimum period of 3 years.

The Code reiterates the requirements under the GDPR and their interpretation by the European Data Protection Board, such as with regards to GDPR standard consent, data subject rights and sharing and transfer of personal data. The Code also requires operators who wish to rely on legitimate interest as a lawful basis to first complete a Legitimate Interest Assessment and provides guidelines on what such assessment process shall cover.

The Code provides further guidance on the interplay between data protection principles under the GDPR and other regulatory requirements such as Anti-Money Laundering (“AML“) regulations. For example, the Code addresses the conflict between data minimization, which is a principle under the GDPR and AML regulations which require data maximization to analyze suspicious activities and the delicate balance between the two opposing principles.

In line with the requirements of the GDPR, the Code has now been submitted to the Maltese Data Protection Authority for formal approval of the Code’s compliance with the GDPR. This is a process which involves data protection authorities in other EU countries, and the European Data Protection Board, and can last between 18-24 months.

All EGBA members will adhere to the Code, which will also be open for signature to other online gambling companies licensed in the EU/EEA. Operators who wish to adhere to the Code will have to submit a declaration to the Code’s independent Monitoring Body, stating that they will comply with all parts of the Code. Upon receipt, the Monitoring Body will verify compliance through a plausibility check or by relying on third party certificates and audits. Operators who will fail to meet the minimum requirements will be subject to enforcement by the EGBA.


Please feel free to contact us if you have any questions.

Kind regards,

Ariel Yosefi, Partner

Co-Head | Technology & Regulation Department

Herzog Fox & Neeman

Search by +