Compliance on All Levels

Full compliance in the handling of our games, in the fight against corruption and money laundering and in the provision of the highest possible standards of security and safety for all our customers and guests: these prerequisites are absolutely imperative for us as legal and licensed gaming operators.

Compliance thus plays a central role in all our business activities. The long-established and regularly audited pillars of compliance in the Casinos Austria and Austrian Lotteries Group are as follows:

  • Anti-money laundering & compliance (ISO 19600)
  • Anti-corruption (ISO 37001)
  • Information security (ISO/IEC 27001:2013; WLA-SCS: 2016 “Security Control Standard”)
  • Data protection and privacy (GoodPriv@cy Standard)
  • Quality management (ISO 9001:2015)

Year after year, we set ourselves ambitious goals in all these areas to ensure that we continue to develop and remain at the top of our game. Our internal Code of Conduct (currently only available in German) for the Casinos Austria and Austrian Lotteries Group serves thereby as the basis for our conduct in all our activities.

Our previous and new goalsStatus 2017Status 2018
Continuously improve our anti-corruption, anti-money-laundering and data protection management systemcompletedfurther measures planned for 2019/2020
Prepare for the EU General Data Protection Regulationextended to 2018completed
Update our internal data protection policyextended to 2018completed
Review our compliance risk and opportunities analysis toolplanned for 2018completed
Evaluate the structured collection of stakeholder invitations in our compliance check toolplanned for 2018extended to 2019
Evaluate our payment compliance measuresplanned for 2019planned for 2019
Evaluate more effective methods of checking the compliance of sponsoring activitiesplanned for 2019completed 2018
Document all compliance training activities via the Group’s learning platformnewplanned for 2019
Gather feedback from all internal stakeholders on the topic of compliancenewplanned for 2019
Prepare internal surveys to assess the level of knowledge regarding compliance provisionsnewplanned for 2020
Provide compliance training to 95% of staff at our headquartersplanned for 2020planned for 2020
Provide compliance training to 95% of responsible staff in our operationsplanned for 2020planned for 2020
Replace and increase communication measures regarding complianceplanned for 2020planned for 2020
Push ahead with the digitalization of check-in procedures in our gaming operationsplanned for 2020planned for 2020

Inhouse Counsel of the Year Award

In April 2018, the international GamblingCompliance Global Regulatory Awards were presented for the second time in London. The awards recognize the work carried out by gaming operators in the field of corporate governance and compliance. In 2018, the award for “Best Corporate Governance Team” went to the Public Affairs and Legal team at the Casinos Austria and Austrian Lotteries Group.

The award is a strong recognition of our Group’s commitment to and work in the field of corporate governance.
Dietmar Hoscher, Director

GamblingCompliance is a think tank based in London, Washington DC and Taipei, which regularly appraises developments in the gaming sector worldwide. Given the complex requirements that are placed on gaming operators by society and politics, the organization regards corporate governance as a prerequisite for any innovative and future-oriented gaming enterprise.



The importance of the fight against money laundering has grown sharply in recent years for gaming operators worldwide. The EU’s 5th Directive on the Prevention of the Use of the Financial System for the Purposes of Money Laundering or Terrorist Financing (“5thAnti-Money-Laundering Directive”) came into force on 20 May 2018 and includes for the first time a definition of “virtual currencies”.

Licensed gaming operators like the Casinos Austria and Austrian Lotteries Group support the EU’s fight against tax evasion, illegal financial transactions and terrorist financing. In the fight against money laundering, we have implemented the following processes in our Group:

  • A check is carried out to determine whether a player is included in the so-called Consolidated Financial Sanctions List (CFSL). The CFSL lists all persons, groups or entities subject to EU financial sanctions and consolidates all lists of names contained in the anti-terror and country embargo regulations. Persons who appear on the CFSL are denied access to our casinos, WINWIN outlets or win2day online gaming platform.
  • All players are checked to determine whether they appear on the so-called PEP List. A “politically exposed person” (PEP) is an individual who has been entrusted with a prominent public function or a person close to such an individual.
  • Such individuals are subject to stricter anti-money laundering provisions. All winners who seek to have an amount in excess of 1,000 euros per lottery ticket/scratch ticket paid out at one of our major cash prize payout points are required to present official photo ID. This data is also checked against the PEP List.


All our anti-corruption activities are conducted in compliance with the ISO 19600 (Compliance) and ISO 37001 (Anti-corruption) international standards.

These standards also form the basis for our anti-corruption rules and guidelines, which apply without restriction to all members of staff in our Group. Our “Invitations and Gifts” Guideline, for instance, ensures that our media cooperations, memberships, marketing activities, non-cash benefits, donations and sponsoring activities are fully compliant with the law.

In 2018, 5 invitations/gifts, 63 sponsoring activities/donations and 3 adverts/commission fees were checked by our Compliance Department. There were no anti-corruption incidences in 2018.


Introduction of a Whistleblower System

In the 2018 reporting year, we implemented a Whistleblower System for the Casinos Austria and Austrian Lotteries Group. The system can be used to anonymously report all suspicions of corruption, and every reported suspicion is processed and clarified using a clearly structured process. The goal of this system is to uncover and prevent internal misconduct and risks at an early stage. Click here to access our Whistleblower System (currently only available in German).


Information Security

We place top priority on information security and accord utmost importance to privacy, integrity and transparency in the operation and handling of all our gaming products and services.

To assist us in this regard, we have implemented an information security management system that complies with the requirements of the World Lottery Association’s Security Control Standard and the ISO/IEC 27001:2013 Information Security Standard. This enables us to guarantee the compliant operation of all our games, equal chances of winning for all and the correct handling of confidential data. Adherence to these standards is verified each year by external audits.

More information on compliance management in the Casinos Austria and Austrian Lotteries Group can be found on our Governance website (currently only available in German).


Data Protection & Privacy

We place top priority on data protection and privacy. As gaming operators with a corresponding need for and access to a multitude of personal customer data, data protection and privacy is of utmost importance in all our business activities. Our compulsory e-learning modules and Group-specific training courses establish a high level of awareness for data protection and privacy within the Casinos Austria and Austrian Lotteries Group as well as a raised sense of responsibility when handling personal data. Particular emphasis is placed thereby on maintaining player confidentiality.

We comply with our data protection and privacy disclosure obligation pursuant to the EU’s General Data Protection Regulation (GDPR) through our Privacy Statement

We have our adherence to appropriate and recognized standards in our implementation of data protection and privacy requirements verified each year by external auditors. Since 2009, we have been audited and certified annually to the international GoodPriv@cy Standard.


General Data Protection Regulation (GDPR) 

The EU’s General Data Protection Regulation came into force across Europe on 25 May 2018. The GDPR’s goal is to unify data protection law in Europe. In particular, the GDPR should serve to protect natural persons with regard to the processing and storage of their personal data. The key questions regarding data protection in relation to the Casinos Austria and Austrian Lotteries Group are summarized – and answered – below.

  • Which data is stored and where is it obtained?

The data we store depends on the actual product or service and can include the following:

name, date of birth, address, mobile phone no., ID card data, e-mail addresses, visit and gaming data. As a rule, we collect this data through our customer/guest relationships. We receive data in particular by personal consent or on a contractual or legal basis. We are legally required, for instance, to store ID card data.

  • What is the data used for and how long is it stored?

We store and use personal data solely and exclusively for predefined purposes. For example, we collect ID card data as a legal requirement, use core data to execute contracts (e.g. a purchase in the Casinos Austria online shop, membership in the Glücks Card loyalty program or tipp3 club, etc.) and store visit and gaming data (also a legal requirement) pursuant to our player protection or anti-money laundering provisions. We store personal data for the duration of the customer relationship or until the customer withdraws his/her consent. The duration of the storage period can also depend on the legal retention and documentation obligations pursuant to, for example, the Austrian Gaming Act, Financial Markets Anti-Money Laundering Act, General Civil Code, Commercial Code, or Federal Tax Code. In addition, the legal statutes of limitation also apply. The general statute of limitation is three years. In certain cases, the storage period can be up to 30 years.

  • Do you share the data with third parties?

We only share stored data with third parties if we are legally obliged to do so to execute a contractual relationship or with the customer’s explicit consent. We do not sell personal data to third parties or market such data in any other form.

Since the General Data Protection Regulation came into force, awareness of data protection and privacy and the number of inquiries relating to this topic have risen accordingly. Since May 2018, we have received over 1,100 inquiries relating to data protection and privacy. The majority of these were data deletion, information or correction requests and were handled by our Compliance and Service teams within the legal time limits.

For further information on data storage in the Casinos Austria and Austrian Lotteries Group, please contact our Data Protection Team on or our Data Protection Officer, Michael Mrak.