TLDR France’s ANJ and CNIL released an updated GDPR guide for gambling operators covering casinos, online betting, and exclusive rights holders like FDJ and PMU. The guide clarifies that all data processing, even paper records, falls under GDPR and that sensitive data like health info needs extra safeguards. Operators cannot reuse data collected for responsible gambling purposes for marketing or other unrelated activities. Practical compliance steps include appointing a Data Protection Officer, mapping data flows, and publishing transparent privacy policies. A major section addresses how GDPR intersects with anti-money laundering and counter-terrorism financing obligations, requiring mandatory impact assessments.
France’s gambling regulator, the Autorité Nationale des Jeux (ANJ), has published an updated guide to help gambling operators comply with the General Data Protection Regulation (GDPR). The document was developed in partnership with the CNIL, France’s data protection authority.
The guide is aimed at casinos, online betting platforms, and exclusive rights holders such as FDJ and PMU. It is not a set of binding rules but rather a practical reference for aligning data practices with existing law.
What the Updated GDPR Guide Covers
The document opens with a breakdown of GDPR fundamentals. It defines what counts as personal data and explains that even basic actions like consulting a file or keeping paper records qualify as data processing under the regulation.
Sensitive data categories receive special attention. Health information and biometric identifiers require additional safeguards. Operators may only collect this type of data when justified by public interest, such as efforts to prevent pathological gambling.
One key point is that data collected for one purpose cannot be repurposed for another. The ANJ specifically states that files tracking players with excessive gambling habits cannot be reused for marketing offers.
The guide identifies operators as the “responsible party” for data processing. Service