Casinos and arcades: destroying customer data
A casino or arcade processes far more data than a visitor suspects. At registration you establish identity, you build a client due diligence file, you check the exclusion register, you run cameras on the gaming floor and you keep transactions and playing behaviour. Part falls under the gambling rules and anti-money-laundering law, part under the tax retention obligation, and part should be kept as briefly as possible. This guide shows, by part, what you keep, when it may go and how to destroy it confidentially.
The quick answer: the client due diligence data you keep for up to five years under anti-money-laundering rules, the financial administration for seven years under the tax retention obligation. CCTV footage you keep as briefly as possible, as a rule four weeks. What may go disappears confidentially and with a certificate of destruction.
Two frameworks: gambling rules and GDPR
At a casino or arcade two things run together. The gambling regulations and anti-money-laundering law require you to identify players, carry out client due diligence and consult the exclusion register, with their own retention periods. Alongside this the GDPR applies, which requires not keeping personal data longer than necessary. The sector rules set the floor for what you must keep, the GDPR the ceiling for what you may not keep too long.
So treat the customer data per type. A client due diligence file has a different status than an afternoon of CCTV footage or a single note about playing behaviour. If you make that distinction, you keep exactly what you must and clear out the rest on time.
Retention periods by part
The period differs per type of data. The overview below gives the main line. Count the anti-money-laundering period from the end of the relationship or the transaction, the tax period from the end of the financial year and the other periods from the moment the purpose has lapsed.
| Part | Starting point | Period |
|---|---|---|
| Client due diligence and identification | Anti-money-laundering law | 5 years |
| Financial administration and payouts | Tax retention obligation | 7 years |
| ID copy and verification data | As limited as possible | only what is needed |
| Exclusion-register check and exclusion | Gambling rules | purpose-bound |
| Gaming-floor CCTV footage | Storage limitation | usually max 4 weeks |
| Transaction and playing-behaviour data | Purpose-bound and tax | purpose-bound + 7 years |
| Correspondence and drafts | No retention obligation | clear out at once |
Use this as a guideline, not a substitute for the law or your licence conditions. When in doubt, consult the gambling authority or your privacy adviser. A complete overview per document type is in the GDPR retention periods cheatsheet.
Client due diligence and ID copies: be careful
As a licence holder you carry out client due diligence under anti-money-laundering law. You establish identity, verify it and keep an eye on unusual transactions. The data and documents you use for this you keep for up to five years after the end of the relationship or the transaction. What that period means and how it overlaps with the tax side is set out in client due diligence and the 5-year rule.
Keep no more than needed. Record which document you saw and the data the law requires, but do not keep a full copy with a national ID number and photo longer than necessary. Such a copy is sensitive and a prime target for misuse. How to clear out an ID copy safely on paper and digitally is in safely destroying an ID copy. A mountain of old identity data you no longer need is a risk you remove simply by destroying it on time. That also helps to prevent identity fraud.
The exclusion register
For games of chance you consult the central exclusion register at registration and entry. That way you keep out players who have excluded themselves or have been excluded. The check and its recording are purpose-bound. You record what is needed to demonstrate that you performed the check, but you do not build a shadow archive of everyone who ever stood at the door.
Treat data about an exclusion with extra care. It says something about a person's playing behaviour and sometimes their vulnerability, so keep it recognisably separate, use it only for the purpose and clear it out as soon as the ground lapses. Keeping it to come in handy one day is not a valid ground under the GDPR.
CCTV footage and playing behaviour
Camera surveillance on the gaming floor serves safety, oversight and sometimes a statutory duty, but it produces a great deal of footage of recognisable people. Keep that footage as briefly as possible, as a rule at most four weeks, unless a concrete incident justifies keeping it longer. Footage you no longer need you delete or have destroyed together with its carrier. The main line per situation is in CCTV footage: retention period and destruction.
Transaction and playing-behaviour data together tell a detailed story about a visitor. Tie them to a concrete purpose, such as the anti-money-laundering duty or the administration, and keep them no longer than that purpose requires. Whatever remains only on an old backup or a decommissioned server belongs with the clear-out just as much.
How to handle it in 6 steps
- Split the data into client due diligence, administration, exclusion checks, CCTV footage and playing behaviour.
- Limit identity data to what anti-money-laundering law and the licence require.
- Treat exclusion and behaviour data separately and clear it out as soon as the purpose lapses.
- Keep the statutory periods of 5 years for due diligence and 7 years for tax.
- Collect what may go in sealed containers, not in the paper bin.
- Have it destroyed confidentially with a certificate and record it in your register.
Destroy confidentially with a certificate
A casino's or arcade's customer data is destroyed confidentially, because it contains identity, transaction and behaviour data. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old registration computer, camera recorder or backup with customer data belongs with it just as much as the paper files.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR and the regulator that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Customer data to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- Keeping ID copies forever. Record what the law requires and clear out the rest on time.
- Keeping CCTV footage too long. Without an incident a short period of usually four weeks applies.
- Treating exclusion and behaviour data as ordinary paper. Those need extra care.
- Throwing away unshredded. A player file on the street is a reportable data breach.
- Keeping no proof. Without a certificate you cannot demonstrate the destruction.
Frequently asked questions
How long does a casino keep client due diligence data?
Anti-money-laundering rules require you to keep the data and documents from client due diligence for up to five years after the end of the business relationship or the transaction. After that the ground lapses and you clear them out confidentially. The financial administration also carries the seven-year tax retention obligation.
Must I keep a copy of an identity document at registration?
You must establish and verify identity, but keep no more than needed. Record which document you saw and the data the law requires. A full copy with a national ID number and photo you keep no longer than necessary and destroy confidentially afterwards.
How long do I keep CCTV footage from the gaming floor?
Keep CCTV footage as briefly as possible, as a rule at most four weeks, unless a concrete incident justifies keeping it longer. Footage you no longer need you delete or have destroyed confidentially together with its carrier.
How do I destroy a casino's customer data in line with the GDPR?
Confidentially and with a certificate of destruction. Paper and data carriers travel sealed and stay that way until destruction, and you record the destruction in your record of processing.
Conclusion
A casino or arcade works with identity, transaction and behaviour data of every player, between the gambling rules and anti-money-laundering law on one side and the GDPR on the other. Keep the client due diligence for five years, keep the administration for seven years and be restrained with ID copies. CCTV footage and exclusion data you clear out as soon as the purpose lapses. What may go you have destroyed confidentially with a certificate as proof. That way you meet both frameworks and protect your visitors' data.
Read also: cinemas and theatres: destroying visitor data, theme parks: destroying visitor data, sauna and wellness: destroying customer data and the GDPR retention periods cheatsheet.
Have customer data collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.