European Gaming Lawyer magazine EGL_Spring2017_opt | Page 13
11. Right to be forgotten
Th e individual shall have the right to
obtain from the controller the erasure of
personal data without undue delay and
the Controller shall have the obligation to
erase personal data without undue delay
provided that the requirements set forth in
Art. 17 are met. Th e right to be forgotten
or the obligation to erasure does not apply
if the processing of personal data remains
necessary in relation to the purposes for
which they were (lawfully) collected or
otherwise processed. Moreover, the right
or obligation to erasure particularly does
not apply to the extent that processing
is necessary for compliance with legal
obligations (like applicable tax laws).
12. Data portability
Th e individual shall have the right to receive
the personal data concerning him or her,
which he or she has provided to a controller,
in a structured, commonly used and
machine-readable format and have the
right to transmit those data to another
controller without hindrance from the
controller to which the personal data have
been provided, where the processing is
based on consent or on a contract and the
processing is carried out by automated
means. In exercising his or her right to data
portability the individual shall have the
right to have the personal data transmitted
directly from one controller to another,
where technically feasible (Art. 20).
13. Privacy by Design and by Default
Th e Controller shall implement appropriate
technical and organisational measures for
ensuring that, by default, only personal
data which are necessary for each specifi c
purpose of the processing are processed.
Th at obligation applies to the amount of
personal data collected, the extent of their
processing, the period of their storage and
their accessibility. Moreover, the Controller
shall implement appropriate technical and
organisational measures which are designed
to implement data-protection principles,
such as data minimisation, in an eff ective
manner and to integrate the necessary
safeguards into the processing in order to
meet the requirements of the Regulation and
protect the rights of data subjects (Art. 25).
III. Consequences for Remote
Gaming Operators
In the past data protection law for many
operators and their contractual partners has
been unpopular and has not been considered
intensively. In future, such negligence could
become expensive.
As shown above the GDPR comprises
fundamental changes for all entities
processing data. Since the core business of
remote gaming operators is the processing of
data it will be crucial to review all processes
and to adapt to the new regime. Due to the
extraterritorial reach the GDPR does not only
aff ect entities in Europe but also Controllers
and Processors in third Countries.
Need for Action under GDPR
Relation to Customer Review internal organisation including: Relation to Processor
• review privacy
notices
• review process for
obtaining consent
and withdrawal • appoint Data Protection Officer
• review existing and implement
new processes (privacy by design,
data security, etc.)
• prepare documentation • review agreements
with processors
• Processor: appoint
Data Protection Officer
• joint liability
Customer
XYZ-
games.com
Transfer of data outside EU:
• review process and agreements
• Consent, Standard Clauses,
Binding Corporate Rules,
Codes of Conduct, Certification
Processor EU
Processor
outside EU
Th e eff orts to be compliant diff er
depending on the current data protection
laws in each Member State. Whereas in
some Member States many elements (like
the requirement for Data Protection Off ers
or for agreements between Controllers and
Processors) are already laid down in present
legislation the changes in other Member
States will be tremendous. However, the goal
of a real harmonisation has not been reached
due to many opening clauses which give the
Member States room for deviations.
Considering the amount of obligations
included in the GDPR the transition period
until May 2018 is short and the GDPR is to
be taken seriously.
Frieder Backu is Partner of SSW
c ne e c e e e
elle
one o t e lea n e an law
s n t e el o n o at on
tec nolo law. He st e law
at the universities of Munich
an Lon on. ollow n ac ’s
studies at university he passed
an e cat on as ce t e e e t
o ta law an o n o at on
tec nolo law. H s oc s s onl ne
an n o at on tec nolo law.
nce
ac cons lts an
e esents nte nat onal a n
companies with respect to their
s ness act t es n e an .
He s co a t o an e to o t e
ont l law o nal
www.
t . e an a t o o n e o s
l cat ons n t e el o
law an ta es. He s a Me e
o t e e an a ssoc at on
Munich Bar Association and
t e n o at on ec nolo
Working Group of the German Bar
ssoc at on
. He s ene al
e e o M L.
el
a
e a l
e e . ac
ssw.
c. e
European Gaming Lawyer | Spring Issue | 2017 | 13