GPWA Times Magazine - Issue 39 - November 2017

The main principles on the matter can be summarized as follows: • Players can file direct claims for breach of their privacy rights against both operators and their gaming affiliates if the breach is the result of the conduct of affiliates. • Gaming affiliates’ liability arises only if they did not comply with the obligations imposed specifically on data pro- cessors by the EU General Data Protection Regulation, or did not act within the scope of the lawful instructions of the operator. • The burden of proof for showing privacy law compliance is on the gaming affiliate, who shall prove that it was not liable. • In case of more than one operator or affiliate, each of them is liable for the refund of the whole damages. • Gaming affiliates are liable for the misconduct of sub-affiliates appointed by them, i.e., of the network of affiliates reporting to a “master” affiliate. Why operators will start scrutinizing the privacy compliance of their gaming affiliates Up until now, my personal experience has been that there was a tendency to draft data processing agreements with a standard format that was used for any type of supplier, including gaming affiliates that were often not even appointed as data processors, regardless of the categories of data and modalities of data processing activity that the supplier was meant to perform. The scenario completely changes with the EU Privacy Reg- ulation, which will oblige operators to renegotiate all data processing agreements. Indeed, the GDPR provides a detailed list of instructions that have to be contained in the agreement. How long is the line of processing? Gaming affiliates shall be instructed to “not engage another processor [i.e., another sub-affiliate] without prior specific 37 W W W . G P W A T I M E S . O R G Image by corgarashu/Shutterstock