Compliance thus plays a central role in all our business activities. The long-established and regularly audited pillars of compliance in the Casinos Austria and Austrian Lotteries Group are as follows:
- Anti-money laundering & compliance (ISO 19600)
- Anti-corruption (ISO 37001)
- Information security (ISO/IEC 27001:2013; WLA-SCS: 2016 “Security Control Standard”)
- Data protection and privacy (GoodPriv@cy Standard)
- Quality management (ISO 9001:2015)
Year after year, we set ourselves ambitious goals in all these areas to ensure that we continue to develop and remain at the top of our game. Our internal Code of Conduct (currently only available in German) for the Casinos Austria and Austrian Lotteries Group serves thereby as the basis for our conduct in all our activities.
|Our previous and new goals||Status 2017||Status 2018|
|Continuously improve our anti-corruption, anti-money-laundering and data protection management system||completed||further measures planned for 2019/2020|
|Prepare for the EU General Data Protection Regulation||extended to 2018||completed|
|Update our internal data protection policy||extended to 2018||completed|
|Review our compliance risk and opportunities analysis tool||planned for 2018||completed|
|Evaluate the structured collection of stakeholder invitations in our compliance check tool||planned for 2018||extended to 2019|
|Evaluate our payment compliance measures||planned for 2019||planned for 2019|
|Evaluate more effective methods of checking the compliance of sponsoring activities||planned for 2019||completed 2018|
|Document all compliance training activities via the Group’s learning platform||new||planned for 2019|
|Gather feedback from all internal stakeholders on the topic of compliance||new||planned for 2019|
|Prepare internal surveys to assess the level of knowledge regarding compliance provisions||new||planned for 2020|
|Provide compliance training to 95% of staff at our headquarters||planned for 2020||planned for 2020|
|Provide compliance training to 95% of responsible staff in our operations||planned for 2020||planned for 2020|
|Replace and increase communication measures regarding compliance||planned for 2020||planned for 2020|
|Push ahead with the digitalization of check-in procedures in our gaming operations||planned for 2020||planned for 2020|
Inhouse Counsel of the Year Award
In April 2018, the international GamblingCompliance Global Regulatory Awards were presented for the second time in London. The awards recognize the work carried out by gaming operators in the field of corporate governance and compliance. In 2018, the award for “Best Corporate Governance Team” went to the Public Affairs and Legal team at the Casinos Austria and Austrian Lotteries Group.
GamblingCompliance is a think tank based in London, Washington DC and Taipei, which regularly appraises developments in the gaming sector worldwide. Given the complex requirements that are placed on gaming operators by society and politics, the organization regards corporate governance as a prerequisite for any innovative and future-oriented gaming enterprise.
The importance of the fight against money laundering has grown sharply in recent years for gaming operators worldwide. The EU’s 5th Directive on the Prevention of the Use of the Financial System for the Purposes of Money Laundering or Terrorist Financing (“5thAnti-Money-Laundering Directive”) came into force on 20 May 2018 and includes for the first time a definition of “virtual currencies”.
Licensed gaming operators like the Casinos Austria and Austrian Lotteries Group support the EU’s fight against tax evasion, illegal financial transactions and terrorist financing. In the fight against money laundering, we have implemented the following processes in our Group:
- A check is carried out to determine whether a player is included in the so-called Consolidated Financial Sanctions List (CFSL). The CFSL lists all persons, groups or entities subject to EU financial sanctions and consolidates all lists of names contained in the anti-terror and country embargo regulations. Persons who appear on the CFSL are denied access to our casinos, WINWIN outlets or win2day online gaming platform.
- All players are checked to determine whether they appear on the so-called PEP List. A “politically exposed person” (PEP) is an individual who has been entrusted with a prominent public function or a person close to such an individual.
- Such individuals are subject to stricter anti-money laundering provisions. All winners who seek to have an amount in excess of 1,000 euros per lottery ticket/scratch ticket paid out at one of our major cash prize payout points are required to present official photo ID. This data is also checked against the PEP List.
These standards also form the basis for our anti-corruption rules and guidelines, which apply without restriction to all members of staff in our Group. Our “Invitations and Gifts” Guideline, for instance, ensures that our media cooperations, memberships, marketing activities, non-cash benefits, donations and sponsoring activities are fully compliant with the law.
In 2018, 5 invitations/gifts, 63 sponsoring activities/donations and 3 adverts/commission fees were checked by our Compliance Department. There were no anti-corruption incidences in 2018.
Introduction of a Whistleblower System
In the 2018 reporting year, we implemented a Whistleblower System for the Casinos Austria and Austrian Lotteries Group. The system can be used to anonymously report all suspicions of corruption, and every reported suspicion is processed and clarified using a clearly structured process. The goal of this system is to uncover and prevent internal misconduct and risks at an early stage. Click here to access our Whistleblower System (currently only available in German).
We place top priority on information security and accord utmost importance to privacy, integrity and transparency in the operation and handling of all our gaming products and services.
To assist us in this regard, we have implemented an information security management system that complies with the requirements of the World Lottery Association’s Security Control Standard and the ISO/IEC 27001:2013 Information Security Standard. This enables us to guarantee the compliant operation of all our games, equal chances of winning for all and the correct handling of confidential data. Adherence to these standards is verified each year by external audits.
More information on compliance management in the Casinos Austria and Austrian Lotteries Group can be found on our Governance website (currently only available in German).
Data Protection & Privacy
We place top priority on data protection and privacy. As gaming operators with a corresponding need for and access to a multitude of personal customer data, data protection and privacy is of utmost importance in all our business activities. Our compulsory e-learning modules and Group-specific training courses establish a high level of awareness for data protection and privacy within the Casinos Austria and Austrian Lotteries Group as well as a raised sense of responsibility when handling personal data. Particular emphasis is placed thereby on maintaining player confidentiality.
We comply with our data protection and privacy disclosure obligation pursuant to the EU’s General Data Protection Regulation (GDPR) through our Privacy Statement.
We have our adherence to appropriate and recognized standards in our implementation of data protection and privacy requirements verified each year by external auditors. Since 2009, we have been audited and certified annually to the international GoodPriv@cy Standard.
The EU’s General Data Protection Regulation came into force across Europe on 25 May 2018. The GDPR’s goal is to unify data protection law in Europe. In particular, the GDPR should serve to protect natural persons with regard to the processing and storage of their personal data. The key questions regarding data protection in relation to the Casinos Austria and Austrian Lotteries Group are summarized – and answered – below.
- Which data is stored and where is it obtained?
The data we store depends on the actual product or service and can include the following:
name, date of birth, address, mobile phone no., ID card data, e-mail addresses, visit and gaming data. As a rule, we collect this data through our customer/guest relationships. We receive data in particular by personal consent or on a contractual or legal basis. We are legally required, for instance, to store ID card data.
- What is the data used for and how long is it stored?
We store and use personal data solely and exclusively for predefined purposes. For example, we collect ID card data as a legal requirement, use core data to execute contracts (e.g. a purchase in the Casinos Austria online shop, membership in the Glücks Card loyalty program or tipp3 club, etc.) and store visit and gaming data (also a legal requirement) pursuant to our player protection or anti-money laundering provisions. We store personal data for the duration of the customer relationship or until the customer withdraws his/her consent. The duration of the storage period can also depend on the legal retention and documentation obligations pursuant to, for example, the Austrian Gaming Act, Financial Markets Anti-Money Laundering Act, General Civil Code, Commercial Code, or Federal Tax Code. In addition, the legal statutes of limitation also apply. The general statute of limitation is three years. In certain cases, the storage period can be up to 30 years.
- Do you share the data with third parties?
We only share stored data with third parties if we are legally obliged to do so to execute a contractual relationship or with the customer’s explicit consent. We do not sell personal data to third parties or market such data in any other form.
Since the General Data Protection Regulation came into force, awareness of data protection and privacy and the number of inquiries relating to this topic have risen accordingly. Since May 2018, we have received over 1,100 inquiries relating to data protection and privacy. The majority of these were data deletion, information or correction requests and were handled by our Compliance and Service teams within the legal time limits.
For further information on data storage in the Casinos Austria and Austrian Lotteries Group, please contact our Data Protection Team on email@example.com or our Data Protection Officer, Michael Mrak.