WRITTEN BY GIULIO CORAGGIO
After the French and the Dutch data protection authorities, the Italian privacy regulator, Garante per la protezione dei dati personali, (the “Italian DPA“) issued its 6 step methodology on the GDPR which aims at also increasing awareness on the most relevant changes introduced:
1. More detailed consent and broader legitimate interest
As already provided by the current regime, any type of processing of personal data needs to have a legal basis justifying it. In particular, among others, with reference to
An explicit (but no longer written) consent is required with reference to the processing of sensitive data (e.g. health related data that are now incorporated in the broader “special” category of data) and to the processing based on automated decision making. The latter is a burdensome obligation in case of automated decisions involving health related data since the manual processing of requests might not be economically feasible for companies in some cases. Therefore, other solutions need to be identified to avoid the risk that some customers do not give their consent to the automated processing of their applications.
Also, a relevant point raised by the Italian data protection authority is that if the consent obtained under the current regime meets also the requirements of the GDPR, no new consent is required. On the contrary, if this is not the case, a new consent shall be obtained before the 25th of May 2018.
The legitimate interest shall no longer be identified by means of a decision of the data protection authority. But the balancing test necessary to rely on it in order to be a legal basis for the data processing shall be performed by the data controller. The criteria identified in previous decisions of the Italian DPA relating to for instance biometric data and CCTV still apply. However, there is a new and wider possibility to exploit the legitimate interest as an alternative to the consent.
This is a major change since the scope of the legitimate interest (which would avoid the need to rely on individuals’ consent) is very broad as the GDPR requires to assess whether “a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place“.
2.Longer privacy information notice, but multi-layer
A much wider amount of compulsory information shall be listed in the privacy information notice. The most relevant change in my view is the need to expressly mention the storage period of personal data. This will force companies to adopt a strict internal policy and technical measures to delete or anonymise data on the expiry of the storage period.
Also, the privacy information notice shall be concise, transparent easily accessible and easy to understand. It can rely on standardised icons that shall be consistent across the European Union and will be defined soon by the European Commission. In this respect, the Italian DPA emphasised that the European Privacy Regulation pushes for the implementation of multi-layer privacy information notices in order to ease their understanding by the public. This would be essential given the very large amount of information to be included in the notice under the GDPR.
Also, strict deadlines are provided by the GDPR for the provision of the privacy information notice in case of personal data that is not collected from the data subject. Companies shall put in place procedures to be able to comply with such deadlines, otherwise they will be able to justify why the provision of the privacy information notice requires disproportionate efforts.
A privacy information notice compliant with the GDPR shall be in place before the 25th of May 2018 and therefore some operators that have relationship once a year with their customers might need to move quite fast!
3. Reinforced rights with the novelty of the data portability right
The GDPR sets strict deadlines to comply with the requests of exercise of individuals’ rights and therefore ad hoc internal organisational and technical procedures shall be put in place to address such requests. Also, the European data protection authorities might issue some guidelines on the potential “reasonable fee” to be paid by individuals in extraordinary circumstances for the exercise of their rights.
The rights of access and erasure (the so called “right to be forgotten“) are reinforced, while the new rights of restriction and portability are introduced. In particular, the right of restriction allows to limit the further processing of personal data, pending a decision on it, and obliges to adopt a procedure to “mark” such data up to the expiry of this transitional period. While with reference to the data portability right, the Italian DPA refers to the opinion on the Article 29 Working Party that I summarised in this blog post.
4. New obligations for data processors, while the need to appoint the persons in charge of the data processing remains
Data processing agreements with data processors shall be amended since the GDPR provides for a large number of obligations to be imposed on data processors (i.e. whoever processes personal data on behalf of the data controller), including the obligation to have in place a record of data processing activities, to implement adequate technical and organisational measures and, if it falls under specific categories, to appoint a data protection officer. The European Commission is considering the adoption of standard clauses for data processing agreements, but – as mentioned in this blog post – the main change relates to the controls to be implemented to monitor data processors.
A positive change is that data processors can appoint sub-processors, but data processors remain liable towards the data controller for the activities of their sub-processors, unless “it proves that it is not in any way responsible for the event giving rise to the damage“.
Interestingly, the Italian DPA provides that the individuals accessing to personal data shall still be appointed as “persons in charge of the data processing“ (incaricati del trattamento), which was a peculiarity of the Italian Privacy Code. Indeed, in order to prove the implementation of adequate technical and organisational measures, strict instructions shall be given to whoever has access to personal data.
5. Need to adopt an accountability program
The accountability principle is one of the major changes introduced by the General Data Protection Regulation. This requires that companies processing personal data are able to prove to have adopted the measures necessary to comply with the GDPR by means of a so called “accountability program“.
The accountability program finds two of its main elements in the implementation of a privacy by design and a privacy by default approach and in the performance of a privacy impact assessment that can be followed by a consultation with the competent data protection authority.
Such elements require that an assessment on the legality of the data processing activities is no longer performed by the data protection authority, but needs to be carried out by each entity processing personal data. This is the reason why the notification to the Italian DPA and the obligation to run a prior check with it in some circumstances will be removed with the GDPR.
Other elements of the accountability program are
- The establishment of a record of processing activities which the Italian DPA recommends to any company, regardless of their size and for which it might issue a template;
- The implementation of “appropriate technical and organisational measures to ensure a level of security appropriate to the risk“, which can no longer be limited to the minimum security measures provided so far by the Italian privacy code. But, the Italian DPA is considering to issue guidelines on the security measures to be put in place;
- The adoption of a procedure for the notification to the Italian DPA and the communication to the relevant individuals of data breaches, “unless the controller is able to demonstrate [—] that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons“. For this purpose, data controllers shall also “shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken“, regardless of whether it has been notified to the Italian DPA and make it available upon request; and
- The appointment of a data protection officer on which the Article 29 Working Party issued an opinion summarised in this blog post.
6. No major change for transfers of data outside the EEA
Principles and tools as those currently provided remain for the transfer of personal data outside of the European Economic Area. It is possible to rely on codes of conducts, but those shall be expressly approved by the competent data protection authority.
Also, it is not possible for courts of non-EEA countries to order the transfer of personal data outside the EEA. This shall occur either on the basis of international treaties or if the relevant EU Member State recognises the public interest to the data transfer.
The above is a very interesting outline of the main contents of the GDPR and of the applicable obligations. On the same topic, you may find interesting my series of top 10+ issues arising from the European Privacy Regulation:
If you found this article interesting, please share it on your favourite social media!
European Union Updates Country List for Stricter AML Checks
The European Commission, the executive branch of the European Union (EU), has updated its list of high-risk countries, from which players should be subjected to stricter customer checks by gambling operators.
Based on Directive (EU) 2015/849, Article 9, the Commission identifies any high-risk third countries that have strategic deficiencies in their regime on anti-money laundering and countering the financing of terrorism.
As such, operators based in the EU that are offering services to these countries or dealing with players from these nations are obliged to carry out heightened vigilance checks.
The list was first published in July 2016 and has been updated a number of times as further countries of concern are identified and flagged by the Commission.
The latest countries to be added to this list – in an update published last month – include Burkina Faso, the Cayman Islands, Haiti, Jordan, Malo, Morocco, Myanmar, the Philippines, Senegal and South Sudan.
Other nations included on the list include Afghanistan, Barbados, Cambodia, the Democratic People’s Republic of Korea, Iran, Jamaica, Myanmar, Nicaragua, Pakistan, Panama, Syria, Trinidad and Tobago, Uganda, Vanuatu, Yemen and Zimbabwe.
Games Factory Talents has teamed up with Nordic Game to bring you Nordic Game Talents.
Looking to take your career to the next level in the games industry? Then, Nordic Game Talents is the place to be! Games Factory Talents has teamed up with Nordic Game to bring you Nordic Game Talents.
From Oct 27-29, the online and interactive event is dedicated to recruitment and career building in the creative & games industry within the Nordic region. The event empowers participants to be part of a bigger community and motivates them to explore new paths in achieving their career goals.
Hiring creative & games studios – Supercell, Funcom, Panzerdog, Tactile Games, Gamecan, Fingersoft, Dazzle Rocks, Redhill Games to name a few from the Nordic region will be participating in the event. These studios will share information on their latest projects, work culture and what it takes to be part of their team. The individual games associations from Finland, Denmark, Sweden, Norway and Estonia will share insights through live sessions on the booming games industry in their respective countries. Career development topics pertinent to job seekers like – How to have a successful first interview, Creative Portfolio reviews will also be discussed.
Experienced game industry professionals and individuals beginning their careers from around the world are welcome to join the event. One-to-one interviews with the hiring studios can be scheduled through the event platform. A great opportunity to get to know the studios and network with game professionals from around the world.
Participating in the event
As a job seeker attending Nordic Game Talents, take a few minutes to fill out a simple registration form. After filling the registration form you will receive a link to the online event platform – PINE, to join the event on 27th October. Participants joining Nordic Game Talents will also receive a free-of-charge pass to the Nordic Game Conference.
About Games Factory Talents
A Helsinki-based talent attraction agency dedicated to the games & creative industry. Our services include direct recruitment, organizing game job fairs and managing a community of game industry professionals through our GameDev Talent Board.
To learn more about Games Factory Talents visit – Games Factory Talents
EC Rejects Call to Reform Expert Group on Gambling
The European Commission (EC) has stated that will not support the re-establishment of an “Expert Group on Online Gambling” – a cross member state collaborative body supported by 14 regulatory agencies.
Dutch gambling regulator Kansspelautoriteit (KSA) published the EC’s response to a letter sent by KSA Chairman Rene Jansen on behalf of European regulators requesting to reinstate the group which had been decommissioned in 2018.
Regulators backed the reinstatement of an Expert Group to exchange knowledge and best practices with regards to governing gambling and protecting national consumers from risks and harms.
Jansen’s letter further stated that regulatory cooperation was required to secure greater oversight on technical requirements and to better evaluate the legislative outcomes of member-states governing their regulated gambling marketplaces.
“The work of the Expert Group was particularly successful. We achieved results that benefited consumers, national authorities and the gambling sector and the active participation in the group also demonstrated that member states are well equipped and willing to achieve positive outcomes together. And we still believe this to be the case,” Jansen said.
Issuing a response, the office of European Commissioner Thierry Breton referred to the EC’s original verdict to decommission the group taken in December 2017.
The expert group was deemed as no longer viable following the European Court of Justice (ECJ) arbitrating 30 cases related to gambling, in which all casework stated that national regulations superseded EU rules.
The EC underscored that gambling laws and standards would be maintained as the domain of the individual member state – which can choose to apply its legislative preferences to taxation, the licensing of market incumbents, industry standards and how a member state should protect its national consumers from harms.
The Commission can only intervene on member-states gambling laws if they are deemed to have breached the wider EU policies on market competition, fair business policies and state aid rules.
Replying to Jansen’s concerns, the EC responded that gambling regulators had the support of individual policy units carrying comprehensive oversight on “anti-money laundering (DG FISMA), consumer and youth protection (DG JUST), the prevention of addiction (DG SANTE) or issues of taxation (DG TAXUD)”.
“At this stage, our Directorate General does not intend to reverse this decision and to reinstate the Expert Group on Gambling Services under its responsibility,” the EC letter concluded.
Austrian win2day launched Fennica Gaming’s eInstants that appeal to female and younger adults
Hacksaw Gaming Strikes Content Agreement with NetBet Italy
Playsense Appoints Patty Toledo as Chief Partnerships Officer
Canterbury: Sam Warburton and Mack Hansen Feature in New Roblox Metaverse Game
GameArt boosts partnership with Planetwin365 in Italy
Betby.Games Enhanced with Launch of Cricket 2.0
Yolo Group restructures business verticals and senior team
Danish Gambling Regulator Expands ROFUS System to Physical Stores
Esports Betting in Central & Eastern Europe: Oddin.gg Sponsors Hipther’s GamingTECH CEE
ProgressPlay showcasing latest innovation in Cyprus
IGT Enhances iLottery in Lithuania with Remote Game Server and Compelling eInstants
PRAGMATIC PLAY SCALES SWISS OPERATIONS WITH GAMRFIRST PARTNERSHIP
Incode Technologies and MaxBet Transform Player Onboarding with AI Identity Verification
7777 gaming powers the newly launched website in Romania Win2
St8.io Continues Expansion with Entry into Romania
ESA Gaming Set for South Africa Debut Following Western Cape Certification
Africa6 days ago
BET9JA ENJOYS SMOOTH XPRESS TECH INTEGRATION
Australia6 days ago
Crown Resorts Signals New Era with Bold New Brand
Compliance Updates6 days ago
Spillemyndigheden Introduces “Player ID” for Retail Betting
Latest News6 days ago
Gary Neville and Sky Bet Continue Award-winning Partnership with Launch of New Overlap Series “Stick to Football”
Compliance Updates6 days ago
Norway Regulator Monitors Banks Over Illegal Gambling Transactions
Balkans6 days ago
Spinomenal augments Bulgarian presence with WINBET deal
Latest News6 days ago
William Hill Partners with Twenty3
Central Europe5 days ago
Mindway AI and the DSWV offer self-testing through AI