2. Exchange of Information & Personal Data Protection

Recommendation 1

Establish a uniform information exchange procedure. The efficiency of information exchange is conditioned by the development of such uniformization, between public and private authorities, as required by Law, accompanied by the stakeholders’ individual adoption of measures to enable such exchange.

With this background, it would be appropriate that the Macolin Convention‘s Follow-up Committee issues guidance (e.g. through guidelines):

• Specifying the name or the type of authorities referred by internal, European and international cooperation;
• Specifying the type of information that can be exchanged in case of illegal, atypical/irregular or suspicious sports betting.
• Establishing “standard” information exchange procedures to help sport stakeholders and relevant stakeholders in the implementation.
• As established in Article 1 of the 2014 Council of Europe’s Macolin Convention, one of its main objectives is “to promote national and international cooperation against manipulation of sport competitions between the public authorities concerned, as well as with organisations involved in sports and in sports betting”.

Recommendation 2

Identify the categories of processed data (sensitive or non-sensitive) and ensure that the principles and rules imposed by the regulation are respected.

Communicate to the person subject to personal data treatment the remedies available.

Note:

Stakeholders are required to inform the player and/or athlete of all methods of processing their collected data. They must provide the information required by regulations (namely GDPR and Convention 108+).

Informing a person is a prerequisite for data collection. From then on, it will be up to the betting operator, regulators and sports federations to bring any changes to the attention of the player and/or athlete. Such information must be easily accessible and must be included in the information notices.

Specific notices must be drawn up for cookies and pop-ups and when using functions such as Google Analytics.

Recommendation 3

The Council of Europe’ Macolin Convention subjects the exchange of information to the respect of eight principles similar to those contained in the Council of Europe Convention 108+ and the EU GDPR, therefore it would be important to standardize them.

• For example, the following could be considered as personal data: surname, first names, gender, date and place of birth, home postal address, and where appropriate the mailing electronic address.

Recommendation 4

Establish at the national level a horizontal mechanism for information sharing (National Platform) between betting operators under the control of the Regulatory Authority in charge of sports betting in case of suspicions of fraud (illegal, atypical/irregular or suspicious sports betting).

MoU’s and cooperation agreements to frame such relations should be established.

The collection and sharing of information between stakeholders in the sports sector can be carried out:

• between national regulatory authorities (a)
• between betting operators (b)
• between betting operators and players (c)
• between members of the sports movement (d) but also
• between betting operators and other stakeholders (e)

Recommendation 5

Harmonize the cooperation practices of the national regulatory authorities and adapt the material scope of the cooperation agreements that bind them to the standards governing the protection of personal data in order to allow an optimal transfer of the information collected.

Recommendation 6

Encourage the development of a Code of Conduct in cooperation with the regulatory authorities and National Platforms summarizing all the rules and procedures that must be followed by their members for ensuring the security of data collected from players and athletes.

Recommendation 7

Strengthen cooperation between betting operators and introduce into the regulations of the associations of sports betting operators’ rules/ details / requisites regarding the nature of the information likely and/or that can be exchanged.

Recommendation 8

Establish in the betting operators’ general terms of services the various hypotheses in which players/bettors’ personal data may or can be transferred to a third party.

In addition, identify precisely the recipients of these data and their processing.

Develop information notices in accordance with the provisions of the GDPR and the modernized Convention 108+.

• The Convention’s Follow-up Committee could make recommendations to this effect, including suggesting that National Platforms approve the betting operators’ terms of services and conditions in the jurisdiction.

Recommendation 9

Encourage Member States to establish similar laws to standardize information sharing procedures between national regulators.

Recommendation 10

Draw up a list of data collected by stakeholders to determine the information considered as personal data and identify the sensitive data.

The Macolin Convention‘s Follow-up Committee could encourage stakeholders to compile this list through one of its Recommendations and to redraft and harmonise the models proposed by the national data protection authorities.

Note:

The notion of “personal data” is defined broadly.

When it comes to fighting the manipulation of sports competitions, stakeholders will therefore have to be very careful regarding the information they collect and wish to exchange. In this regard, they will have to consider:

• The rules applicable in the case of data processing during normal management activities;
• The rules applicable in the event that the data is subject to processing because it is necessary to combat the manipulation of sports competitions.

It is therefore essential to precisely list all the data necessary for stakeholders (betting operators, regulatory authorities, sports federations, etc.) to guide them in the assessment of the data collected.

To combat the manipulation of sports competitions, stakeholders are called upon to know precisely the personal data they hold, their location and to have a view of the operations carried out on this data.

Also, they should establish an inventory of data as well as a map of data processing and a register of this processing (data flow mapping and record) based on the work carried out by certain protection authorities.

Betting operators, sports federations, regulatory authorities as well as national platforms (i.e. all stakeholders in the sector) which process personal data can be considered as being responsible for processing.

Recommendation 11

Member-states should adopt laws on data processing in prevention and detection of criminal offenses, investigation and prosecution or enforcement of criminal sanctions, including protection against threats to human rights and public safety.

Likewise, rules applicable to private organizations should be adopted.

• While prevention-focused activities remain the most important way of tackling the problem, they need to be combined with more stringent efforts on investigation and appropriate sanctions involving the criminal justice system. The number of reports indicating suspicious activity, in particular given the growth of betting, suggest that the risk of competition manipulation to all sports is increasing. UNODC2021

Recommendation 12

National legislators should recognize the fight against the manipulation of sports competitions as a public mandate to allow and regulate the processing of personal data by the regulator authorities and/or to provide an obligation in the law to cooperate and communicate / exchange information to combat sports manipulation.

• This could be proposed and/or established by the Convention’s Follow-up Committee.

Recommendation 13

Adopt a European Standard allowing stakeholders to uniformly collect, obtain or exchange personal data (in the territory of the European Union) with the consent of the player, in respect of the substantive and formal conditions required, whenever consent is the basis for treatment.

Note:

Stakeholders (betting operators, regulatory authorities, sports federations, etc.) are authorized to process the personal data they collect if one of the conditions provided for is respected:

1 – The player and/or athlete has given consent:

• The operator must, beforehand, specify clearly and precisely all the purposes for which its consent is required.
• Consent must be given freely, clearly, unequivocally and by the exercise of a positive act:
• a checkbox on the gaming operator’s website by which the player accepts that his collected data may be processed in accordance with the stated purposes. This consent may for example be collected when opening the player account.
• A written declaration;
• An oral statement.
• Consent relating to data processing must be presented separately from other requests;
• The player and/or athlete must be able to withdraw their consent at any time
• this withdrawal will not, however, be retroactive.

2 – The betting operator, the regulatory authority and the sports federations may legally process the data they collect without first obtaining the consent of the player and/or the athlete:

• If the processing is necessary to comply with a legal obligation: fight against fraud, addiction, money laundering, corruption.
• If it is necessary for the execution of a data protection mission, public interest or in the exercise of functions of public authority.
• If it is necessary to safeguard a vital interest.
• when the processing is necessary for the purposes of the legitimate interests pursued by the controller, unless the interests or fundamental rights and freedoms of the data subject prevail.
• when the processing is necessary for the performance of a contract to which the data subject is a party or to the execution of pre-contractual measures taken at the request of the data subject.

Recommendation 14

Ensure that complete information for the person concerned by the personal data treatment is provided, such as:

• the identity and contact details of the Data Controller;
• the contact details of the Data Protection Officer;
• the purposes of the treatment;
• the law that authorizes the treatment;
• the legitimate interests pursued by the Controller;
• the recipients of the data;
• he categories and source of personal data when the data is not collected directly from the data subject.
• any transfer to a third country or an international organization and details of the relevant guarantees (i.e. adequacy decision);
• the rights of the data subjects including the right to withdraw their consent when the processing is based on consent;
• the backup measures adopted to ensure data security;
• the data retention periods;
• the remedies available to the supervisory authority;

Recommendation 15

Have an adequate knowledge of the treatments and communicate transparently on each purpose of the treatment(s) and scrupulously observe the rules laid down by the GDPR when processing data for later purposes.

Recommendation 16

Conduct a stakeholder consultation with a view of establishing a certification mechanism to enable those involved in processing to “quickly assess the level of data protection offered by the products and services in question“.

• This recommendation could be determined by the Convention’s Follow-up Committee.

Recommendation 17

Consider a certification label specific to sport integrity (such as an ISO or EMAS).

This certification label would strengthen the relationship of trust which should link the player to betting operators, sports federations and public authorities and would also be a new means in the fight against illegal operators.

In order to enhance the efficiency of such compliance mechanisms, the European Commission, in consultation with all stakeholders, could create a specific Code of Conduct for the sport sector and / or establish a certification mechanism.

Note:

• With this background, the responsibility of betting operators, regulatory authorities and sports federations is therefore reinforced. They must ensure compliance with the applicable legislation regarding the protection of personal data and, in particular:
• Adopt appropriate technical and organizational measures to guarantee the protection of personal data: minimum processing of data, pseudonymization, encryption and the implementation of individual rights and the principles of lawfulness of processing;
• Apply the protection of data protection principles by design and by default;
• Carry out impact studies;
• Keep a record of processing activities;
• Cooperate with the supervisory authority when requested;
• Notify any personal data breach to the supervisory authority.

In order to ensure that data protection is properly taken into account in their processing operations, Data Controllers can rely on instruments such as Codes of Conduct, labelling and certification procedures.

Recommendation 18

Establish and give adequate visibility to the rights of the person subject to personal data treatment, in particular:

• The right not to be subject to an automated individual decision
• The right of access
• The right to know the reasoning underlying the processing
• The right to object
• The right of rectification and erasure