European Gaming Lawyer magazine EGL_Spring2017_opt - Page 13

11. Right to be forgotten Th e individual shall have the right to obtain from the controller the erasure of personal data without undue delay and the Controller shall have the obligation to erase personal data without undue delay provided that the requirements set forth in Art. 17 are met. Th e right to be forgotten or the obligation to erasure does not apply if the processing of personal data remains necessary in relation to the purposes for which they were (lawfully) collected or otherwise processed. Moreover, the right or obligation to erasure particularly does not apply to the extent that processing is necessary for compliance with legal obligations (like applicable tax laws). 12. Data portability Th e individual shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means. In exercising his or her right to data portability the individual shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible (Art. 20). 13. Privacy by Design and by Default Th e Controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specifi c purpose of the processing are processed. Th at obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. Moreover, the Controller shall implement appropriate technical and organisational measures which are designed to implement data-protection principles, such as data minimisation, in an eff ective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the Regulation and protect the rights of data subjects (Art. 25). III. Consequences for Remote Gaming Operators In the past data protection law for many operators and their contractual partners has been unpopular and has not been considered intensively. In future, such negligence could become expensive. As shown above the GDPR comprises fundamental changes for all entities processing data. Since the core business of remote gaming operators is the processing of data it will be crucial to review all processes and to adapt to the new regime. Due to the extraterritorial reach the GDPR does not only aff ect entities in Europe but also Controllers and Processors in third Countries. Need for Action under GDPR Relation to Customer Review internal organisation including: Relation to Processor • review privacy notices • review process for obtaining consent and withdrawal • appoint Data Protection Officer • review existing and implement new processes (privacy by design, data security, etc.) • prepare documentation • review agreements with processors • Processor: appoint Data Protection Officer • joint liability Customer XYZ- Transfer of data outside EU: • review process and agreements • Consent, Standard Clauses, Binding Corporate Rules, Codes of Conduct, Certification Processor EU Processor outside EU Th e eff orts to be compliant diff er depending on the current data protection laws in each Member State. Whereas in some Member States many elements (like the requirement for Data Protection Off ers or for agreements between Controllers and Processors) are already laid down in present legislation the changes in other Member States will be tremendous. However, the goal of a real harmonisation has not been reached due to many opening clauses which give the Member States room for deviations. Considering the amount of obligations included in the GDPR the transition period until May 2018 is short and the GDPR is to be taken seriously. Frieder Backu is Partner of SSW c ne e c e e e elle one o t e lea n e an law s n t e el o n o at on tec nolo law. He st e law at the universities of Munich an Lon on. ollow n ac ’s studies at university he passed an e cat on as ce t e e e t o ta law an o n o at on tec nolo law. H s oc s s onl ne an n o at on tec nolo law. nce ac cons lts an e esents nte nat onal a n companies with respect to their s ness act t es n e an . He s co a t o an e to o t e ont l law o nal www. t . e an a t o o n e o s l cat ons n t e el o law an ta es. He s a Me e o t e e an a ssoc at on Munich Bar Association and t e n o at on ec nolo Working Group of the German Bar ssoc at on . He s ene al e e o M L. el a e a l e e . ac ssw. c. e European Gaming Lawyer | Spring Issue | 2017 | 13