GPWA Times Magazine - Issue 39 - November 2017

or general written authorization of the controller [i.e., of the operator].” This principle is, in theory, already in place, but there are affiliates where the “line of data processing” is made of more than five entities that are almost totally ignored by the operator, which has not even been notified of their identity. The EU Data Protection Regulation introduces more flexibility in appointing sub-affiliates, but such flexibility still requires that operators be able to have at any time a full picture of the data processing activities being performed on their behalf. Is data kept secure, and do operators have full control of data breaches? Gaming affiliates are required to comply with the same “appro- priate technical and organizational measures to ensure a level of security appropriate to the risk” that are imposed on the instructing party (i.e., the operator). But how do gaming affiliates or their sub-affiliates that are very small organizations comply? Will this oblige operators to select their gaming affiliates more carefully? The review of gaming affiliates’ level of conformity with privacy laws, which is currently either not performed at all or carried out only in relation to very large affiliates, will become an obligation to be periodically (e.g., annually) performed. If an affiliate is not able to ensure privacy compliance, operators will be obliged to either terminate the relationship or take the risk of potential liabilities. How are audits performed? The GDPR requires that gaming affiliates commit to make available to the controller all information necessary to demon- strate compliance with privacy obligations and to allow for and contribute to audits, including inspections, conducted by the operator or another auditor mandated by the operator. The GDPR requires that gaming affiliates put into place stringent and burdensome measures in order to demonstrate compliance with its privacy obligations . If an affiliate is not able to ensure privacy compliance , operators will be obliged to either terminate the relationship or take the risk of potential liabilities . EU GENERAL DATA PROTECTION REGULATION W W W . G P W A T I M E S . O R G 40 Image by kb-photodesign/Shutterstock