What GDPR covers in gambling
GDPR applies to every operator that processes personal data of EU residents, regardless of where the operator is based. The framework defines categories of personal data, lawful bases for processing, data-subject rights (access, erasure, rectification, portability, objection), and obligations on data controllers and processors. Gambling operators collect substantial personal data through KYC, payments, behavioural analytics, and customer service, which puts them squarely within GDPR scope.
The legal text is supplemented by national implementations and supervisory guidance from each EU data-protection authority. The UK Information Commissioner’s Office (ICO) supervises UK GDPR. The Irish Data Protection Commission, French CNIL, German LfDI bodies, and other national regulators supervise GDPR within their territories. Cross-border processing is coordinated through the One-Stop-Shop mechanism.
Lawful bases and data-subject rights
Every processing activity must have a lawful basis. The most common bases in gambling are: performance of a contract (processing necessary to deliver the gambling service), legal obligation (KYC and AML processing required by gambling and anti-money-laundering law), legitimate interests (fraud prevention, security), and consent (marketing communications, optional analytics). Special-category data (such as health data triggered by responsible-gambling interventions) requires stronger conditions.
Data-subject rights include the right of access (request a copy of personal data held), right to erasure (delete data when no longer needed), right to rectification (correct inaccurate data), right to portability (receive data in a structured format), and right to object (stop certain processing). Operators must respond to verified requests within one month, extendable by two months for complex cases.
Operator and B2B vendor implications
Operators must maintain records of processing activities, conduct Data Protection Impact Assessments for high-risk processing, appoint a Data Protection Officer where required, sign Data Processing Agreements with every processor (KYC vendors, payment processors, hosting providers), and notify breaches to the supervisory authority within 72 hours where they meet the threshold. UKGC and ICO have coordinated on data-handling expectations in gambling, including specific guidance on marketing and harm-minimisation profiling.
For B2B vendors, GDPR compliance is a procurement requirement. Vendors typically operate as processors under written Data Processing Agreements with their operator customers. Sub-processor arrangements, international transfer mechanisms (Standard Contractual Clauses, adequacy decisions), and security controls are all in scope of vendor due diligence.
Frequently asked questions about What Is GDPR in iGaming?
The higher tier of GDPR fines reaches the greater of 20 million euros or 4 percent of worldwide annual turnover. The lower tier reaches the greater of 10 million euros or 2 percent of turnover. UK GDPR mirrors these levels. Several large gambling operators have received seven-figure GDPR-related fines for marketing and data-handling failings.
No. GDPR’s storage-limitation principle requires data to be retained only as long as necessary, but allows retention required by law. Gambling AML rules typically require 5 plus years of retention. Operators document the legal basis for each retention period in their records of processing activities.
DPOs are mandatory where the core activities involve large-scale systematic monitoring of individuals, or large-scale processing of special-category data. Most mid-to-large gambling operators appoint a DPO. UKGC and ICO guidance treats this as best practice in gambling regardless of strict legal threshold.
The EU adopted an adequacy decision for the UK in 2021, allowing data to flow freely between the UK and EEA. Transfers to other jurisdictions still require an appropriate mechanism, typically Standard Contractual Clauses with additional safeguards following the Schrems II judgment.