Data Protection (GDPR) for Gambling

Data Protection Regulation in Finnish Gambling

All organisations processing the personal data of individuals in Finland, including gambling operators, must comply with the General Data Protection Regulation (GDPR). As data controllers, gambling operators are responsible for how they collect, use, and protect player data. The primary independent supervisory authority for data protection in Finland is the Office of the Data Protection Ombudsman (Tietosuojavaltuutettu).

Currently, these obligations apply fully to the state-owned monopoly operator, Veikkaus Oy. From 1 July 2027, when the licensed market for online betting and casino games opens, all successful licence applicants will also be required to demonstrate full GDPR compliance as part of their regulatory duties.

The Role of the Data Protection Ombudsman

The Office of the Data Protection Ombudsman is responsible for monitoring and enforcing GDPR compliance across all sectors in Finland. Its role in the gambling sector includes:

• Providing guidance and advice to operators on their data protection obligations.
• Handling complaints from individuals about how their personal data is being processed by a gambling operator.
• Conducting investigations and audits of operators' data processing activities.
• Imposing corrective measures, including administrative fines for GDPR violations.

The Ombudsman works independently but may cooperate with the gambling regulator, the National Police Board, on matters where data protection and gambling supervision intersect.

Legal Basis for Processing Player Data

Operators cannot process personal data without a valid legal basis under Article 6 of the GDPR. For gambling, several bases are relevant:

• Legal Obligation: A significant amount of data processing is necessary to comply with other laws. This includes identity verification, age checks, anti-money laundering (AML) monitoring as required by the Act on Preventing Money Laundering and Terrorist Financing, and responsible gambling interventions mandated by Finland's Gambling Act.
• Legitimate Interest: Operators may process data for purposes like fraud prevention or network security, provided their interests are not overridden by the player's rights and freedoms.
• Consent: For activities not covered by other legal bases, such as sending direct marketing materials, operators must obtain explicit, opt-in consent from the player. Players must have the right to withdraw this consent at any time easily.

Key Obligations for Gambling Operators

Data Protection Impact Assessments (DPIAs)

Online gambling inherently involves processing that is likely to be considered 'high risk' under the GDPR. This triggers the mandatory requirement to conduct a Data Protection Impact Assessment (DPIA) before commencing the processing. According to guidance from the Office of the Data Protection Ombudsman, activities like large-scale systematic monitoring of individuals' behaviour and extensive profiling require a DPIA. Gambling operators engage in this to monitor for problem gambling, fraudulent activity, and for marketing purposes.

Profiling and Automated Decision-Making

Profiling is central to modern online gambling. Operators use it to segment customers for marketing, assess risk, and detect unusual betting patterns. When this profiling leads to solely automated decisions that have a legal or similarly significant effect on the player (e.g., automatic account closure or restriction based on a risk algorithm), players are granted specific rights under GDPR Article 22. These include the right to be informed about the logic involved, and the right to obtain human intervention, express their point of view, and contest the decision.

Data Breach Notifications

If a gambling operator experiences a personal data breach, it must notify the Office of the Data Protection Ombudsman without undue delay, and where feasible, no later than 72 hours after becoming aware of it. This notification is required if the breach is likely to result in a risk to the rights and freedoms of individuals, such as financial loss or identity theft.

Data Location and Supervisory Access

International Data Transfers

Finland does not have a general 'data residency' law requiring operators to store their main gambling data servers within Finnish territory. However, all operators must comply with GDPR's Chapter V rules on international data transfers. This means personal data can only be transferred outside the European Economic Area (EEA) if adequate protection is ensured, for example, through an adequacy decision by the European Commission or by using Standard Contractual Clauses (SCCs).

The Supervisory Data Interface

A key requirement under the new Gambling Act, effective from 2027, is the 'supervisory data interface', often referred to as a data vault. While data may be stored outside Finland, licensed operators must provide the National Police Board with secure, real-time access to a specific set of raw data for supervisory purposes. This data enables the regulator to monitor compliance with licence conditions, player protection rules, and AML requirements, separating the regulator's needs from the operator's general data processing governed by the GDPR.