The case arose from complaints lodged by a player against an online gambling operator, following unsolicited phone calls and messages inviting them to sporting events. The controller confirmed that the player’s personal data had been transferred to a service provider for the purpose of distributing invitations to sporting events, an activity it qualified as non-commercial. In support of its position, the controller explained that a services agreement and a data processing agreement were in place with the provider, that the provider acted solely as a processor, and that only a limited set of personal data had been shared. What is a fairly frequent practice – using a marketing service provider for distributing invitations – proved problematic for the gambling operator in this case because its privacy policy failed to make this purpose clear to players.
While the VDAI accepted that no separate legal basis was required for the transfer, it nevertheless found that the controller had breached the transparency principle and its information obligations. In particular, the privacy policy was considered insufficiently specific and potentially misleading in relation to the processing activity concerned, namely the transfer of personal data for the distribution of invitations to sporting events. As a result, the authority concluded that the players could not reasonably foresee that their personal data would be shared for purposes extending beyond the provision of core gambling services, leading to a violation of the applicable transparency and information requirements. For gambling operators, this may be a crucial lesson, in that players generally expect their data to be used for gaming services, account management, regulatory compliance etc. and not for ancillary activities which were not properly notified to them.
- In principle, a transfer of personal data based on a data processing agreement is lawful and does not require a separate legal basis
In the Lithuanian case, the service agreement of the two entities was properly accompanied by a data processing agreement, pursuant to Article 28 of the GDPR. In short, this provision ensures that the controller chooses to employ only those processors that provide sufficient guarantees based on the provisions of the GDPR. Specifically, the requirement for an agreement is set out in Article 28(3), which also describes the duties of the processor.
Given the findings of the VDAI, it is safe to assume that the service provider in the case satisfied these conditions and that the data processing agreement was valid. The essential finding is thus that there is no need for a separate legal basis when the contractual relationship between the controller and the processor is lawful. This is also confirmed by the very purpose of a processor in the GDPR. Such an entity acts on behalf of the controller, meaning that the controller sets out the purposes and the means of the processing. In other words, there is a subordinated relationship between the controller and the processor. Thus, any separate choice of the processor, outside of the scope of the processing drawn by the controller, constitutes a breach of the agreement and leads to the processor becoming a controller for those activities that are not compliant, also determining full liability on their part under the GDPR.
As part of the means and purposes of the processing activity, the controller is also liable for determining the legal basis. As a result, when transferring personal data to the processor based on their agreement, the controller acts lawfully given that the processor can only process that data within the strict lines of their agreement. Of course, any processing of the same data but for another purpose can also raise issues regarding the legal basis of the activity.
Seeing that the first aspect of the Lithuanian decision is straightforward in what concerns the agreement between the controller and the processor, the discussion can move on to how this is reflected to the data subject and why the second part of the decision refers to an integral part of the internal implementation of data processing agreements.
- Even if a data processing agreement is in place and the transfer is thus made to a processor, the data subject must be accurately informed about the recipient of their data
Even though the data processing agreement may be bulletproof from the strict perspective of the envisioned interaction between the controller and the processor, the two parties must keep in mind that the GDPR is an instrument dedicated to the protection of the physical persons whose data is being processed, also known as the data subjects or, in this case, players. Thus, the conclusion of the VDAI becomes clear.
The gambling operator erroneously considered that the wording “other persons related to the provision of services, such as archiving and postal service providers” was sufficient to cover the transfer of data to the service provider that sent the invitations to sport events to players. Thus, it is clear that any clause essentially stating that any other third-parties may be recipients cannot satisfy the transparency requirements of the GDPR. This raises the question of what degree of exhaustiveness the privacy policy must adhere to. The answer is nuanced by design.
The safest approach would be for one to be able to list all possible recipients at the very moment when drawing up the privacy policy, showcasing an impeccable data protection capability and impressive future reading skills. Therefore, the key here is that such a policy does not need to be a stagnant instrument, but rather it must be updated any time it is necessary in order to ensure that the approach does not leave any weak points for the controller. That is why a well-rounded analysis of any operation of the company implies a privacy and data protection perspective. Naturally, this implies a well-rounded organizational culture within the business that is able to combine operational workflows with the ever-vigilant contribution of compliance and legal departments.
For gambling operators specifically, this decision underscores that player trust depends not only on secure data processing arrangements behind the scenes, but on clear, honest communication about how player data will be used. In a highly regulated sector where customer relationships and regulatory compliance are paramount, transparency is a legal obligation and a business imperative at the same time. Gambling companies must ensure their privacy policies specifically identify marketing service providers, event management companies, and any other processors who will handle player data, rather than hiding behind generic catch-all phrases.
