EU data protection laws (GDPR) and customer privacy

1) Briefly about the main thing

GDPR is the basic EU law on the protection of personal data. It applies to anyone who:

processes the data of people from the EU/EEA, even if the operator is outside the EU;
offers them services (including online casinos) or monitors their behavior.

For violation - a fine of up to 20 million € or 4% of global turnover (which is more), plus bans on processing and reputational losses.

2) Key principles (Art. 5 GDPR)

1. Legality, fairness, transparency. Understandable policies, honest notifications.

2. Goal limitation. Use data only for declared tasks (KYC/AML, Responsible Gambling, payments, support, analytics, etc.).

3. Minimization. Collect only what you need (for example, do not store a "selfie with a card" if there is enough 3-DS and a bank statement).

4. Accuracy. Update address/documents, avoid duplicates.

5. Storage restriction. Clear retention periods (usually 5-7 years for financial documents; in short - for telemetry).

6. Integrity and confidentiality. Encryption, access control, logging.

7. Accountability. Prove compliance (policies, DPIA, processing records).

3) Legal grounds of processing (Art. 6) - what suits the casino

Legal obligation: KYC/AML/sanctions screening, fiscal reporting, payment logging.

Contract: creation and maintenance of a game account, replenishment/withdrawal, support.

Legitimate interest: anti-fraud, security, basic product analytics, Responsible Gambling signals (if not contrary to local regulations).

Consent: e-mail/SMS marketing, cookies for advertising, non-standard profiling.

Vital interests/public task: rare, pinpoint.

💡 Special categories (health, religion, etc.) are almost unnecessary in iGaming - avoid collecting them. Use biometrics for liveness → strictly as identification with DPIA and minimization.

4) Roles and responsibilities

controller: casino operator - determines goals/means.

Processor: KYC providers, PSP, clouds, anti-fraud, online analytics, marketing platforms.

We need DPAs (processing contracts) with clear instructions, sub-processors, security measures, audit rights and notifications of violations.

5) DPIA, DPO and treatment records

DPIA (Data Protection Impact Assessment) is mandatory at high risk: CCM/biometrics, behavioral monitoring RG, large profiling, cross-border transmissions.

Assign a DPO (Data Protection Officer) if the scale of processing is large or there is systematic monitoring.

Maintain a Processing Activity Register (RoPA): data categories, objectives, legal grounds, retention periods, recipients, security measures.

6) Rights of the data subject and SLA responses

The player has the right: access, correction, removal ("right to be forgotten"), restrictions, portability, objections, as well as explanation in automated decisions/profiling (for example, anti-fraud block).

The response time is usually up to 1 month (you can extend for another 2 if difficult).

We need processes in support/CRM, verification of the identity of the requester and WORM solution logs.

7) Cookies, ePrivacy and online marketing

Consent banner: explicit opt-in for analytics/advertising, separate switches, "equal in importance" buttons (accept/reject).

Strictly necessary cookies - without consent, but with a description in the policy.

E-mail/SMS marketing: only with consent (or "soft opt-in" for existing customers in some countries) + easy opt-out.

Remarketing and look-alike - only with valid consent; Exclude lists of self-excluded and vulnerable groups.

8) International data transmission (chapter V)

Non-EEZ transmission is possible when:

Adequacy, or
SCCs (standard contractual provisions) + TIA (transmission impact assessment), or
Binding Corporate Rules for groups of companies.
Check clouds, anti-fraud, on-chain analytics, helpdesk - where data is physically stored and processed.

9) Security (Art. 32) and incidents (Art. 33/34)

Minimum "reinforced concrete":

Encryption "at rest" and "in transit," key management.
RBAC/ABAC, MFA for admins, zero account sharing.
Media segregation, activity log (admin/support), anomaly monitoring.
Tokenization/Pseudonymization for telemetry and analytics.
Incident Response Plan, Drill, Bugbounty.

Safety violation: notify the supervisor within 72 hours, and subjects - if the risk of harm is high. Maintain a register of incidents.

10) iGaming thin places and how to close them

1. Biometrics and liveness. DPIA, local storage of templates (or their absence after verification), transparent deadlines for deletion.

2. Onchain data. A crypto address can become personal data if we connect with a person - conduct a TIA, do not publish the player's addresses, store reports with minimization.

3. Responsible Gambling and profiling. Explainable models (XAI), "human-in-the-loop" for tough measures, the right to challenge.

4. VIP и SoF/SoW. Collect only what you need, delete by deadline, protect bank statements.

5. Affiliates and pixels. Joint control? Fix in contracts, ensure a synchronized ban of self-excluded, legal collection of consents.

6. Regulatory/LEA requests. Documented disclosure procedures, minimization, legal framework (Art. 6 (1) (c )/( e)).

11) Retension: how to set smart deadlines

CCM/financial documents: 5-7 years (national financial standards).

Session/device logs: 12-24 months (longer without identifiers).

RG signals and cases: while the limit + audit period is in effect.

Marketing data: before withdrawal of consent or 24 months without activity.

Biometrics: remove immediately after verification, unless otherwise required by law.

12) Practical compliance checklist (short)

Legal basis and documentation

Privacy policy and cookies, plain language.
Treatment Registry (RoPA), DPIA on KYC/biometrics/RG/onchain.
DPO assigned/outsourced, contact published.
DPA with all processors, list of sub-processors.

Rights of subjects

Procedures and SLAs (≤1 months), response templates, identity verification.
Easy opt-out/delete/fix mechanisms.

Technology and Security

Encryption, MFA, segregation, WORM logs.
Aliasing analytics, minimizing exports to BI.
Incident plan, "72 hours," drill.

Marketing/ePrivacy

Consent banner with individual toggle switches; journal consents.
Separate marketing and user bases in self-exclusion.

Data transfers

SCCs/BCR/TIA for all cross-border flows.
Data map by provider (KYC, PSP, cloud, anti-fraud).

13) Frequent mistakes and how to avoid them

Collect "in reserve." Unnecessary documents/screenshots → the risk of leakage. Solution: Minimization + whitelist of acceptable artifacts.

Cookie banner with "dark patterns." Make equivalent buttons "Accept/Reject."

Lack of DPIA and DPA. Without them, it is difficult to justify profiling and transferring data to partners.

Single access "superadmin." Share roles, connect JIT access.

No TIAs by cloud/analytics. Assess the location of the servers and the applicability of third-party law.

14) Mini-FAQ

We are not in the EU. Are we covered by GDPR?

Yes, if you offer services to people from the EU/EEA or monitor their behavior (cookies/analytics).

Do you always need consent for anti-fraud and RG?

Not always: usually a legitimate interest/legal duty. But requires DPIA and transparency + objection capability if applicable.

Can KYC documents be stored indefinitely?

No, it isn't. Record reasonable deadlines and delete/anonymize when they expire.

Is the automatic output unit "automatic decision making"?

Yes, potentially. Ensure "human-in-the-loop," explanation and right to reconsider.

Wallet address - personal data?

Can become such if associated with an identified person. Treat like a PII when onboarding.

15) The bottom line

GDPR does not require a "paper tick," but data management systems: clear goals and legal grounds, minimization, secure architecture, vendor control and respect for the rights of players. An operator that builds privacy-by-design and maintains accountability (RoPA, DPIA, DPA, DPO, incident-plan) reduces legal and payment risks, speeds up audits and increases customer confidence - which means it wins long-term.