Kyanite Blue
FAQ

GDPR and iGaming: 20 Questions About Player Data, Breach Notification and Compliance

iGaming operators are among the most data-intensive businesses in the EU. Every player account contains identity documents, financial data, behavioural profiles, and medical-adjacent data (responsible gambling). Getting GDPR wrong is expensive. Getting it right is competitive advantage.

Average GDPR fine for a data breach in Malta's gaming sector: €50,000–€500,000.

Data Processing Questions

  • Q: What is the legal basis for processing player data? A: Typically contract (for operating the gaming service), legal obligation (for AML/KYC), and legitimate interest (for fraud prevention and responsible gambling monitoring).
  • Q: How long can we retain player KYC documents? A: AML regulations require 5 years from relationship end. GDPR requires deletion once the purpose no longer applies. These are in tension — legal advice specific to your jurisdiction is required.
  • Q: Is betting history personal data? A: Yes. Betting patterns, game preferences, and transaction history are personal data under GDPR and must be processed lawfully, fairly, and with appropriate security.

Breach and Notification Questions

  • Q: What triggers the 72-hour GDPR notification clock? A: When you have reasonable certainty that a breach has occurred — not when you have complete information.
  • Q: What if we're not sure personal data was actually taken? A: If you cannot rule out that personal data was compromised, treat it as a presumptive breach and notify.
  • Q: What is a "notifiable breach" vs a breach we can document internally? A: Notifiable to the IDPC: any breach involving personal data that poses risk to individuals. Notifiable to players: breaches posing HIGH risk to individuals.

Frequently Asked Questions

Who is the Data Protection Authority for MGA-licensed operators?

The Information and Data Protection Commissioner (IDPC) in Malta. Website: idpc.org.mt. Breach notifications must be submitted through their online portal.

What is the maximum GDPR fine?

For serious violations: the higher of €20 million or 4% of global annual turnover. For less serious violations: the higher of €10 million or 2% of global annual turnover. In practice, most iGaming sector fines have been in the €50K–€500K range.

Does BlackFog help with GDPR compliance?

Yes. BlackFog prevents the data exfiltration events that trigger notification obligations. No exfiltration = no notifiable breach. It also produces audit logs of all data movement attempts that demonstrate active data protection controls to the IDPC.

Prevent the breaches that trigger GDPR fines

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

BlackFog

Learn more

Related Articles

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides