Legality of data storage by the GlüStV legally challenged

The correct handling of personal data is an extremely sensitive issue for all types of companies operating on the Internet. Online casinos with a German licence in particular collect a lot of data these days. This is mainly done for reasons of player protection. But is this really legal? This exciting topic was recently the subject of a legal article.

In recent years, we have all come face to face with data breaches and outright data scandals on the internet. Many of us have been affected ourselves. Most of us, however, have at least read or heard about the Facebook data leak at Easter 2021, the inadequate protection of Covid test results, the public visibility of user data on certain delivery service apps, or similar incidents. Online privacy and security seem to be more important than ever - and the trend is growing.

Of course, this also affects online casinos and, ultimately, the German authorities who regulate gambling there, including the use of various players' personal information.

A recent specialist article on Dr. Datenschutz by Marc Ruiz García, a lawyer and data protection consultant at intersoft consulting services AG, sees a clear conflict between the current approach and the provisions of the State Treaty on Gambling (GlüStV) of 2021 and the European General Data Protection Regulation (GDPR). He also criticises possible financial or payment blocking, which could be used and is becoming increasingly common in order to prevent transactions to illegal gambling providers in particular.

At which critical points is player data processed in accordance with GlüStV 2021?

The new GlüStV imposes a number of requirements on the granting of German licences to online casinos and ultimately to players, compliance with which is enforced by requesting personal data.

In particular, customers of such gaming facilities must be adequately protected against possible gambling problems. The main objectives are to effectively combat gambling addiction, but also to ensure that the services offered are free of fraud and crime. To this end, the authorities maintain three central databases whose data collection is used to control specific protection mechanisms.

But now to the central files:

• Limit file: This file is used across all providers to ensure that customers remain within the applicable deposit limit of €1,000 per month. The personal registration details for each casino used are compared for all deposit transactions and updated in the limit file with the appropriate amounts.

• Exclusion file: The exclusion file (OASIS) allows players to exclude themselves from all German gaming operators. In certain cases it is also possible to block third parties. This requires personal information. The specific data allows the operator to clearly identify whether a player has been blocked or not. This process takes place online through an automatic comparison.

• Activity file: In this file, personal data is processed live, so to speak, in order to recognise whether a player is really only active with one gaming operator. For example, parallel registration with two online casinos or with an online casino and a betting provider is prohibited under current regulations.

Various data is also required for payment blocking

Marc Ruiz García also discusses payment or financial blocking in his article. These methods are primarily used to prevent German players from making deposits or withdrawals from illegal gambling operators, i.e. those that are not licensed in Germany.

According to the author, this is mainly done by blacklisting unlicensed operators, whose data is then compared and excluded by financial service providers. Sometimes, however, players' bank accounts are also affected. These are then blocked using specific information.

The author comes to a clear judgement

The author of the article, Marc Ruiz García, questions whether the "extensive data retention" is really proportionate. The exact conclusion is as follows:

"In accordance with the principle of data minimisation, personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The retention of personal data without a reason is not allowed. In this context, it is questionable whether the maintenance of three extensive centralised files containing information on all players (including those who have not shown any gambling addiction) is compatible with the requirements of data protection".

With regard to financial blocking, García says that the data used for this is usually used for other purposes. They are, of course, important for the creation of a bank account, an e-wallet account, etc. and the associated obligations to prevent money laundering or similar criminal activities. Changing the purpose is difficult, according to Tonus.

He describes the "constant and prophylactic monitoring of all customers by financial service providers with regard to their participation in illegal gambling" as clearly "disproportionate". "Such data processing cannot be carried out on the basis of a legitimate interest within the meaning of the GDPR, because the fundamental rights and freedoms of the data subjects prevail in view of the intensity of the interference," García said verbatim.

Conclusion

Image source: https://pixabay.com/de/illustrations/lupe-menschen-kopf-gesichter-1607208/