Data Management in Gambling: GDPR, AML and Cybersecurity Risks in 2026
The gambling industry processes sensitive player data, which is a frequent target of cyberattacks. In 2026, betting operators must comply with strict requirements under the GDPR, AML rules, and the Gambling Act. Failures in data security can result in crippling fines and the loss of a licence. This article summarises the key risks and obligations related to data management in the gambling sector.
Table of contents
Key takeaways
- Data sensitivity: Gambling operators process special categories of personal data, such as data on behaviour, potential addiction, or financial stability, which require the highest security standards.
- Draconian sanctions: A fine for a GDPR breach can reach up to EUR 20 million or 4% of total worldwide annual turnover, which is significantly more than fines under the Czech Gambling Act.
- Critical areas: Operators often underestimate the legal basis for player profiling, information duties, and security when transferring data to partners such as payment gateways or marketing providers.
- RVO and prevention: and self-exclusion tools are regulatory obligations that generate specific data, the leakage of which may cause serious harm to players.
- The role of attorneys: The legal team at ARROWS advokátní kancelář provides compliance audits, sets up contracts with processors, represents clients in inspections by the Czech Data Protection Authority (ÚOOÚ) or the Customs Administration, and handles security incidents.
Why GDPR and data protection in gambling are a key issue
The gambling industry in the Czech Republic operates on the basis of a licence issued by the Ministry of Finance. This licence is conditional on meeting a number of strict regulatory requirements, and the protection of players’ personal data is one of the key pillars.
The combination of these levels of regulation creates a specific legal environment. On the one hand, there are the general obligations under the GDPR; on the other hand, there are specific obligations under the Czech Gambling Act and the AML Act.
What do operators fear most often? Fines and reputational risk. The Czech Data Protection Authority (ÚOOÚ) sanctions GDPR breaches systematically and with regard to the group’s turnover. A fine for a serious breach, for example a leak of players’ data, can reach up to EUR 20 million or 4% of total worldwide annual turnover under Article 83 GDPR.
Which data in gambling are the most sensitive and why
A gambling operator collects and processes data of three basic types. The first type is identification and verification data (KYC). This includes name, personal identification number, date of birth, address, or bank account details.
This data is necessary for player registration, identity and age verification, and anti-money laundering prevention.
The second type is financial and behavioural data. This includes deposit amounts, betting history, preferred game types, or IP addresses. Although this is not automatically a special category under the GDPR, combining it creates a detailed profile of the player’s personality and financial situation.
If the operator records data from which pathological gambling can be inferred, this constitutes health data, which is a special category of personal data.
Processing such data on the risk of problem gambling is generally prohibited unless an exemption applies. Such an exemption may be compliance with a legal obligation in the area of social protection or a substantial public interest.
Legal basis and consent
Where do operators most often make mistakes? Many of them underestimate the need to correctly determine the legal basis for individual data processing operations.
Many operators mistakenly believe that the collection and processing of players’ data is fully authorised by the operating licence itself.
The GDPR requires a specific legal basis for each purpose of processing. For identification data and AML checks, this is compliance with a legal obligation. The operator collects the name and personal identification number on the basis of statutory requirements.
In this case, you must not require the player’s consent, because it would be invalid.
For behavioural data used for marketing, the situation is different. If you analyse a player’s behaviour to personalise an offer, the law generally does not require you to do so. Here, the legal basis is either legitimate interest for basic analytics, or consent for advanced profiling.
Verifying whether a player is listed in the Register of Excluded Persons (RVO) is compliance with a legal obligation.
The operator must query the Ministry of Finance via remote access. However, internal detection of risky behaviour beyond the statutory requirements may require careful assessment.
A typical risk arises when an operator collects data on “risky” players significantly beyond what is necessary, for example by screening social media. The Czech Data Protection Authority (ÚOOÚ) may qualify this as a breach of the data minimisation principle.
Related questions
1. Do we need the player’s consent to verify them in the RVO (Register of Excluded Persons)?
No. Verification in the RVO is a statutory obligation of the operator (Section 17 of the Czech Gambling Act). The player’s consent is not required and would not be a valid legal basis.
2. We have data from third countries. Does the GDPR apply to it?
Yes. If the operator offers services to players in the EU or monitors their behaviour, the GDPR applies regardless of the operator’s registered seat (the extraterritoriality principle under Article 3 GDPR).
3. Can we sell behavioural data to third parties?
Selling data (e.g., to marketing agencies) is highly risky. It is possible only if: (a) you have the player’s explicit and informed consent to transfer the data to a specific third party, and (b) the data subject has been informed accordingly. Without consent, this constitutes a serious GDPR breach.
Security, data transfers, and third-party risks
A gambling operator shares data with a number of entities, such as payment service providers, gaming platform vendors, or marketing agencies.
The relationship with commercial partners is a controller–processor relationship, and the law requires a written data processing agreement.
This agreement must include confidentiality obligations, a guarantee of security measures, and an obligation to report incidents. The controller must also reserve the right to audit the processor.
If the conditions for transfers of data to third countries are not met, this constitutes an unlawful data transfer.
This applies, for example, to the use of cloud services or analytics tools with servers outside the EU/EEA. Operators must ensure that the mechanisms used, such as the Data Privacy Framework, are valid.
NIS2 and cybersecurity
From 2025/2026, the new Czech Cybersecurity Act implementing the NIS2 Directive will also apply to a number of larger gambling operators.
Operators may fall into the category of “important” or “essential” entities. This means an obligation to report cybersecurity incidents not only to the Czech Data Protection Authority (ÚOOÚ), but also to NÚKIB, and to implement advanced technical measures.
Data subject rights and gambling-specific aspects
Players have strong rights under the GDPR, but exercising them in gambling runs up against statutory limits. A frequent point of dispute is the right to erasure (to be forgotten) in contrast with AML obligations.
Under the AML Act, identification data and transaction data must be retained for 10 years from the end of the business relationship.
The operator therefore cannot delete everything. The correct response to the player is key: “We will delete marketing data, but we must retain transaction history by law.” The player also has the right of access, which in practice means an obligation to export the history of bets and deposits.
If a decision is based solely on automated processing and produces legal effects for the player, the player has the right to human review.
This right to object to profiling applies, for example, where an automated system blocks an account or assesses a player as risky without human involvement.
RVO and self-exclusion: Specific obligations
The Gambling Act introduced the Register of Excluded Persons (RVO). This is a non-public public administration information system administered by the Ministry of Finance.
The operator is required, upon registration and then at each login, to verify whether the player is listed in the RVO. If the player is listed, the operator must not allow them to participate in the game.
From a GDPR perspective, it is key that the operator does not enter data into the RVO directly, but only reads the status.
Entries are made by the Ministry of Finance at the player’s request or ex officio. There is also operator-level self-exclusion, where the player sets limits for bets or losses. The operator must protect these data and must not use them for marketing.
|
Risks and sanctions |
How ARROWS helps (office@arws.cz) |
|
Insufficient legal basis for marketing: The operator sends offers without valid consent or legitimate interest. |
Audit of consent collection processes, review of “checkbox” wording, and setting legitimate interest in line with case law. |
|
Missing agreements (DPAs) with suppliers: The operator has not contractually addressed data transfers to the platform or marketing supplier. |
Drafting and review of data processing agreements, setting supplier liability for data breaches. |
|
Conflict “Erasure vs. AML”: The operator does not know what to delete and what to keep when a player exercises the right to erasure. |
Preparation of a retention and disposal schedule and template responses for players that comply with both the GDPR and the AML Act (10-year retention). |
|
Late incident reporting: A data breach was not reported to the Czech Data Protection Authority (ÚOOÚ) within 72 hours. |
Crisis management, legal representation before the Czech Data Protection Authority (ÚOOÚ), minimisation of fines and reputational damage. |
|
Non-transparent Privacy Policy: Information on data processing is unclear or incomplete for players. |
Drafting clear, tailored Privacy Policies for gambling operations. |
Regulatory perspective: What the Czech Data Protection Authority (ÚOOÚ) and the Ministry of Finance review
Supervision in the Czech Republic is divided among several institutions. The Czech Data Protection Authority (ÚOOÚ) primarily oversees compliance with the GDPR.
It focuses on data security, lawfulness of processing, cookie banners, and handling players’ requests.
The Ministry of Finance and the Customs Administration oversee compliance with the Gambling Act. They focus on the functionality of RVO checks, the setup of self-exclusion measures, and compliance with the ban on gambling by minors.
The Financial Analytical Office oversees compliance with the AML Act, in particular customer identification and due diligence.
This authority, known as the FAÚ, also ensures proper data retention for 10 years. All of these inspections closely relate to data handling and data security.
Practical steps: How to implement the rules safely
To achieve compliance in 2026, we recommend taking the following steps:
- Data audit: Map data flows. Do you know exactly where players’ data ends up and whether you have an overview of all cloud services?
- Review DPA agreements: Make sure you have a valid data processing agreement in place with every IT and marketing supplier.
- Update your information obligations: Check whether your Privacy Policy includes information on the RVO, AML retention periods, and automated decision-making.
- Employee training: Customer support staff must know how to respond to an erasure request and must not promise deletion of data subject to AML retention.
- Incident Response Plan: Have a scenario ready in case of a data breach, including who to call and who reports the incident to the Czech Data Protection Authority (ÚOOÚ) or NÚKIB.
FAQ
1. Is it enough to have only “Terms and Conditions” on the website?
No. You must have a separate “Privacy Policy” document that meets the requirements of Articles 13 and 14 GDPR. It must be separate from the terms and conditions, and the player must have it available at registration. ARROWS’ Prague-based attorneys will prepare a tailored document for you. Write to office@arws.cz.
2. What security standards do we need to meet?
The GDPR requires “appropriate measures”. In gambling, this de facto means database encryption, pseudonymisation, strong access management, and activity logging. If you fall under the Cybersecurity Act (NIS2), the requirements are even stricter (including an audit). Contact office@arws.cz for a consultation with our IT lawyers.
3. Do we have to appoint a Data Protection Officer (DPO)?
Most likely yes. The obligation to appoint a Data Protection Officer (DPO) arises if the controller’s core activities consist of large-scale regular and systematic monitoring of data subjects or large-scale processing of special categories of data. Gambling operators that profile players and process large volumes of data typically meet this definition.
4. What should we do if we discover a security incident?
You have a strict deadline of 72 hours from the moment you become aware of the incident to report it to the Czech Data Protection Authority (ÚOOÚ) (if there is a risk to individuals’ rights). If the risk is high (e.g., leakage of passwords or financial data), you must also inform the players themselves.
5. Can we be inspected by someone other than the Czech Data Protection Authority (ÚOOÚ)?
Yes. In the AML area, you may be inspected by the FAÚ and the Customs Administration. In the cybersecurity area, by NÚKIB (if you are a regulated entity). All of these inspections involve data handling. ARROWS, a Prague-based law firm, will represent you in these proceedings. Contact office@arws.cz.
Disclaimer: The information contained in this article is for general informational purposes only and serves as a basic guide to the issue as of 2026. Although we strive for maximum accuracy, laws and their interpretation evolve over time. We are ARROWS Law Firm, a member of the Czech Bar Association (our supervisory authority), and for the maximum security of our clients, we are insured for professional liability with a limit of CZK 400,000,000. To verify the current wording of the regulations and their application to your specific situation, it is necessary to contact ARROWS Law Firm directly (office@arws.cz). We are not liable for any damages arising from the independent use of the information in this article without prior individual legal consultation.
Read also:
- Gambling Geo-Blocking Compliance in 2026: Legal and Technical Risk Mitigation
- Verifying the identity of online gamblers: Legal requirements and technical solutions
- AML/CFT Compliance for Online Marketplace Operators Under Czech and EU Law
- Legal Checklist for SaaS Platforms in the EU: GDPR, AI Act and Licensing
- Meta Authorisation for Betting Ads on Facebook and Instagram in Czechia (2026):