GDPR and personal data processing

1) What regulates GDPR and who the subject is

• you are installed in the EU/EEA or target users in the EU (goods/services, behavior monitoring);
• you are a controller (define the goals/means of processing) or a processor (process the PD on behalf of the controller).

• Controller: owner of goals/means, responsible for legality and transparency.
• Processor: acts on documented instructions of the controller, concludes DPA.
• DPO (Data Protection Officer): Independent Oversight, DPIA/DSR, Consultation, Liaison to Oversight.

2) Processing principles (Article 5)

1. Legality, fairness, transparency.
2. Goal limitation. Clearly described, compatible goals.
3. Data minimization. Only necessary.
4. Accuracy. Updating and correction.
5. Storage restriction. Retention and removal/anonymization.
6. Integrity and confidentiality. Default security.
7. Accountability. Provability of compliance (policies, logs, DPIA).

3) Legal grounds (st.6) - matrix for iGaming/fintech

4) Special categories and biometrics (art. 9)

Processing of special categories (health, beliefs, etc.) is prohibited unless there is a separate reason.
Biometrics for unique identification (for example, face-template for liveness/face-match) requires direct consent or other narrow legal framework (depending on the country). Store patterns rather than "raw" images where possible.

5) Profiling and automated solutions (Article 22)

• transparent disclosure of logic (within reasonable limits), significance and consequences;
• the right to human intervention and challenge the decision;
• DPIA with a high probability of risk of rights/freedoms (large-scale profiling).
• Recommendations: store reason codes, version models/rules, conduct bias audits.

6) DPIA/DTIA: when mandatory

DPIA conduct if the risk is high: large-scale profiling, biometrics, "systematic observation," new data sources.
DPIA template: purpose and description of treatment → legal grounds → risks of subjects → mitigation measures → residual risk → plan.
DTIA (assessment of cross-border transmission): legal environment of the recipient country + contractual/those measures (SCC/equivalent, encryption, key separation).

7) Cross-border transmissions (Ch. V)

Mechanisms: SCC, BCR, adequacy decisions, local analogues.
Technical measures: end-to-end encryption, key separation, field minimization, pseudonymization before transmission.
Document the transfer register and DTIA results; regularly review risks.

8) Rights of Subjects (DSR)

Right of access, correction, deletion, restriction, portability, objection, non-marketing.
Deadlines: usually up to 30 days (you can extend for another 60 if difficult, with notification).
Verify the identity of the applicant (without disclosing too much).
Exceptions: storage due to AML/tax duty, etc. document.

9) Cookie/SDK and Marketing

Categorize cookies as mandatory/functional/analytics/marketing.
For EU/EEZ analytics/marketing - opt-in (real choice), consent log, detailed descriptions.
Respect Do Not Track/Opt-out; use server-side analytics and data minimization.
E-mail/SMS marketing - separate consent; keep consent proof and timestamps.

10) Security and "privacy by design/default"

Encryption in transit and at rest, tokenization of payment details, isolation of data zones (PII ↔ analytics).
RBAC/ABAC access control, MFA, JIT accesses, activity log, WORM archive.
DLP control of uploads and exchanges; prohibit unauthorized copies of production data on dev/stage.
Minimize fields, aggregate and anonymize where there is no need for identification.

11) Register of Operations (RoPA) and Retention

Maintain RoPA: purpose, grounds, categories of data and subjects, recipients, retention periods, security measures, transfers abroad.
Retention matrix: for each PD category - term (for example, AML/KYC ≥5 years after the end of the relationship), method of deletion/anonymization, responsible owner.

12) Leaks and notifications (Art.33/34)

Assess the risk to rights and freedoms: if damage is likely, notify the supervisor within 72 hours, and if the risk is high, notify the subjects without unreasonable delay.
Response plan: isolation, forensics, correction, communications, post-sea; store artifacts and solutions.

13) Processors, DPA and Vendor Management

With each processor, conclude DPA: subject, PD categories, sub-processors, security, DSR/incident assistance, audit, data deletions/returns.
Conduct due diligence: location, certifications (ISO/SOC), incidents, security measures, sub-processors.
Revaluation annually and in case of changes (sanctions, M&A, geography).

14) Matrix "Objectives → Grounds → Shelf life"

15) Documentation for your wiki (skeletons)

1. Privacy policy (layered): short version + full.
2. Cookie/consensus management policy.
3. Treatment Registry (RoPA).
4. DPIA/DTIA template + trigger criteria.
5. DSR policy (SLAs/procedures/templates).
6. Retention and deletion policy + job-pipeline.
7. Incident and Notification Policy (RACI, forms).
8. DPA template and vendor due diligence checklist.
9. Rules for profiling and automated solutions (explainability, appeals).

16) Metrics and Control

DSR SLA Request rate closed ≤30 days.
Consent Coverage: proportion of events with valid opt-in/opt-out.
Data Minimization Index - average number of data points per feature.
Access Violations/Exports: access and download incidents, trend.
Encryption Coverage:% of tables/buckets/backups in encryption.
Incident MTTR/MTTD and repeatability.
Vendor Compliance Rate and audit results.
RoPA Completeness и Retention Adherence.

17) Checklists

• DPIA/legality basis confirmed by DPO.
• Goals/bases/retentions are entered in the RoPA.
• Field minimization/aliasing/isolation of data zones.
• The Consence Banner and cookie categories are configured.
• DPA/vendors agreed, sub-processors listed.
• Logs, alerts, auditing, deletion/anonymization - enabled.

• Access Review (RBAC/ABAC), recall excess.
• Backup recovery test.
• Revision of DTIA/SCC and sub-processor list.
• Retention audit (deleted by deadline) and DSR registry.
• IR plan training and playbook updates.

• Applicant verification.
• Collect data from systems via RoPA.
• Response on time with fixing the reasons for exceptions.
• Update records and notify parties (if portable).

18) Implementation Roadmap

1. Inventory of systems and PD flows; RoPA formation.
2. DPO assignment, policy approval and RACI.
3. Launch of DPIA/DTIA circuit and consens management.
4. Data zone separation, encryption, DLP, logs and WORM archive.
5. Retention pipeline and removal/anonymization.
6. Vendor review, DPA, sub-processor registry.
7. Profiling: reason codes, appeals, explainability.
8. Regular metrics, Board report, external/internal audit sessions.

Result

GDPR compliance is not only a policy on the site, but a PD lifecycle management system: correct grounds, minimization and security by default, DPIA/DTIA, respect for the rights of subjects, controlled vendors and measurable metrics. By building privacy into architecture and processes, you retain licenses, partnerships and player trust - without sacrificing product speed and conversion.