INSIGHT
GDPR RESETS
THE OPERATOR/AFFILIATE
RELATIONSHIP
The new legislation brings many responsibilities concerning gamers but it’s also an opportunity for
operators and affiliates to redefine their roles — and they must take it, says Wiggin’s Patrick Rennie
THE GENERAL DATA PROTECTION
REGULATION (GDPR) – for those who
have been living under a bridge for the
last 12 months – is new EU legislation
which comes into force on 25 May, 2018.
The GDPR will bring about stricter
requirements for all companies in the EU
that process personal data (and for those
companies outside the EU that process the
data of EU citizens). The new regulation
will affect the gambling industry and how
it uses the personal data of its players and
prospective players. This article discusses
the impact that the GDPR will have on
affiliates, the relationship between operators
and affiliates, and what measures can/
should be taken by operators as a result of
GDPR to assist it in its GDPR-compliance.
The GDPR retains the concept of a data
controller (now called a controller). This
is the party that determines the purposes
and means for processing personal data.
The concept of a data processor (now a
processor) is also retained and refers to
those who process personal data on behalf
of another. It is, therefore, important to
begin any discussions between operators
and affiliates by determining their roles.
Affiliates aim to drive individuals to an
operator’s site/app with the aim of such
individual signing up to become players.
This means that the operator will be a
controller in respect of such players once
they have entered the operator’s site/
app, but prior to this the operator has no
relationship with the traffic that is being
driven towards its site. This brings into
question the role of the affiliate, reviewed
as follows:
● ● Affiliate
as a processor: The affiliate
carries out its operation solely to drive
traffic towards an operator and without
an operator the affiliate would not be
processing personal data. The affiliate
acts solely on behalf of the operator.
● ● Affiliate as a controller: Although the
affiliate’s aim is to provide customers
to the operator, the way in which the
affiliate fulfils this task and the means
in which the affiliate reaches out to
prospective players is entirely up to
the affiliate. The affiliate has autonomy
over its processing.
Although an argument could be made
either way, it is likely that affiliates (acting
in their usual capacity) will be controllers.
This is corroborated by the ICO’s guidance
note on controllers and processors where
the example of an organisation that
determines the precise data collected and
the manner in which processing is carried
out to be a controller, which is the case
with affiliates.
GDPR will actually lessen the impact on
whether or not an affiliate is a processor or
a controller as GDPR introduces liability
for both. This will mean that an affiliate
who is solely responsible for breaching
GDPR will be liable, rather than the
operator potentially being liable and then
having a contractual remedy against the
affiliate (as would currently be the case if an
affiliate is a processor). There are two points
to note, however: (i) it is still important
to address if the affiliate is a controller or
processor as controller-processor contracts
(which would include affiliate T&Cs) must
contain certain provisions under Article
28 of the GDPR; and (ii) regulators and/
or affected customers may pursue the
operator rather than the affiliate under
the assumption that the operator is the
controller, because of the greater brand
presence of operators. It is also important
to note that being a controller or a processor
is a question of fact not of contract and
so the precise role of an affiliate will be
determined by a regulator, regardless of
what may be stated in the affiliate T&Cs
(although the contract may be used to help
a regulator reach its decision).
On the whole, affiliates are most likely
to be controllers in their own right and this
position is probably the preferable one for
operators because it would mean that any
data protection breach by the affiliate
should bring liability solely on to the
affiliate. Of course, there may be related
liability or liability under other regulation
for operators to consider, as well as
potential harm to the brand. In any
“Affiliates are most likely to be controllers in their own
right and this position is probably the preferable one
for operators because it would mean that any data
protection breach by the affiliate should bring liability
solely on to the affiliate”
iGB Affiliate Issue 66 DEC 2017/JAN 2018
41