News

Controller or Processor? – Court of Appeal Confirms Tribunal’s Decision on Data Processing Roles

A contentious matter between gaming operators and affiliates, in most gaming contract negotiations, is determining which of the parties is to be deemed a controller and which is to be deemed a processor.

A recent judgment of the Court of Appeal presided over by Judge Lawrence Mintoff[1] upheld a previous decision of the Information and Data Protection Appeals Tribunal (‘Tribunal’) against LeoVegas Gaming plc (‘LeoVegas’). This decision determined that the controller in the relationship between a gaming operator and an affiliate is the gaming operator, on the basis that an affiliate only processes personal data on the instructions of the gaming operator, for which the affiliate works to attract clients.

Controller vs Processor – The Facts

The UK’s Information Commissioner Office (‘ICO’) contacted the Information and Data Protection Commissioner in Malta (‘IDPC’) following hundreds of complaints it had received from data subjects, who had themselves received unsolicited communication from an affiliate of LeoVegas (“Affiliate”).

Following its investigations, the IDPC ordered LeoVegas to pay an administrative fine of five thousand Euros on the basis that:

  • It failed to provide the required evidence necessary to legitimise the sending of the marketing communications in question by its engaged or appointed affiliates; and
  • the sending of electronic communications by affiliates on behalf of Leo Vegas was unlawful and in breach of now replaced Regulation 9 of Subsidiary Legislation 440.01.

As the unsolicited electronic communication was sent by the Affiliate on LeoVegas’ behalf and as per its instructions, the IDPC deemed LeoVegas to be acting as the controller and hence responsible for the unsolicited communication.

LeoVegas appealed from the IDPC’s decision on the basis that in the contract between the parties, the Affiliate was deemed to act as a controller and LeoVegas the processor. However, the Tribunal also found in favour of the IDPC following its assessment of the role of the Affiliate, which it defined as (i) revolving around LeoVegas and (ii) managed through the instructions of the gaming operator for the purpose of attracting players to LeoVegas’ website.  In fact, the Tribunal went on to describe affiliates as follows:

“Affiliates aim to drive individuals to an operator’s site/app with the aim of such individual signing up to become player. This means that the operator will be a controller in respect of such players once they have entered the operator’s site/app but prior to this the operator has no relationship with the traffic that is being driven towards its site.”

LeoVegas claimed that it never gave consent to its Affiliate to approach third parties and consequently it cannot be deemed a data controller. The Tribunal, whilst acknowledging that the gaming operator is only attributed responsibility of player data once a player actually becomes its player, and that an affiliate may be in charge of creating a database of potential clients, on the other hand held that the nature of the affiliate’s role is dependent on the gaming operator since it always acts on its behalf. This element is crucial to determine that the Affiliate was in fact the processor in the relationship and not the controller.

The Tribunal also assessed the contract in vigore between LeoVegas and the Affiliate and stated that even if the role of the controller was attributed to the Affiliate, the spirit of the contract indicated otherwise.

Effectively the Tribunal deemed LeoVegas to be the controller of the relationship and hence the party responsible in keeping a record of its processing and to determine on which legal basis the personal data processed through unsolicited communication was in fact processed.

In its appeal, LeoVegas claimed that in its case, it was the Affiliate who originally collected and kept the personal data, which database it claimed was protected by copyright. However, the Tribunal held that the regulations in place stated that the definition of a controller encompasses those who instigate the processing of such data. Without financial remuneration, such data would not have been collected by the Affiliate and thus the Affiliate’s actions were instigated by LeoVegas.

Moreover, LeoVegas was accused of violating what is now Regulation 586.01 in that it made unlawful use of electronic communications.

Other Matters

In its appeal, LeoVegas claimed that the decision of the Tribunal was based on the wrong law as the events on which the Tribunal had to decide occurred prior to the coming into force of the General Data Protection Regulation and that consequently its decision could only have been based on the now repealed Chapter 440 of the Laws of Malta, the previous Data Protection Act. Nevertheless, as the substance of the definitions of controller, processor and personal data did not change, the legal position did not change, and the Court ultimately discarded such claim.

Article written by Dr Bernice Saliba.

For further information you may contact Dr Ian Gauci or Dr Terence Cassar.

This article is not intended to impart legal advice and readers are asked to seek verification of statements made, from an advocate or law firm, before acting on them.


[1]LeoVegas Gaming p.l.c v. Il-Kummissarju ghall-Informazzjoni u l-Protezzjoni tad-Data (Information and Data Protection Commissioner), Court of Appeal (Inferiorr), Judge L. Mintoff, 12th June 2020