DGOJ
AI Regulation in Spain iGaming
Direccion General de Ordenacion del Juego (DGOJ) — regulatory overview for AI use cases in Spain's gambling market.
Regulator Overview
Spain regulates online gambling through the Direccion General de Ordenacion del Juego (DGOJ), a division of the Ministry of Consumer Affairs. Since the 2011 Gambling Act (Ley 13/2011), Spain has operated a licensed-operator model with strict conditions on advertising, responsible gambling, and player data handling. The DGOJ has progressively tightened requirements, most notably through Royal Decree 958/2020, which imposed sweeping restrictions on gambling advertising, bonus offers, and promotional activity — effectively banning most gambling ads outside a narrow late-night window and prohibiting welcome bonuses entirely.
For operators deploying AI systems, Spain presents a layered compliance challenge. The DGOJ mandates detailed record-keeping of player activity and requires operators to implement responsible gambling tools, including self-exclusion integration with the national RGIAJ registry. Any AI system that processes player behavioural data for segmentation, personalisation, or risk scoring must also comply with the Spanish Data Protection Agency (AEPD) enforcement of the GDPR, which has been notably aggressive — the AEPD has issued some of the largest GDPR fines in Europe and pays close attention to automated decision-making and profiling under Articles 21 and 22.
As an EU member state, Spain is subject to the EU AI Act (Regulation 2024/1689), which entered into force in August 2024 with phased implementation through 2027. AI systems used for creditworthiness-style scoring or behavioural profiling of vulnerable individuals may be classified as high-risk, requiring conformity assessments, human oversight mechanisms, and transparency obligations. Operators in the Spanish market must plan for both DGOJ-specific gambling requirements and horizontal EU AI Act obligations simultaneously.
Key AI & Data Rules
DGOJ Responsible Gambling Record-Keeping
Operators must maintain comprehensive records of player sessions, deposits, losses, and self-exclusion status. AI systems that ingest or process this data must preserve audit trails and ensure outputs align with DGOJ reporting requirements. Automated interventions based on player behaviour (e.g., responsible gambling alerts) must be documented and defensible.
Royal Decree 958/2020 Advertising and Bonus Restrictions
Gambling advertising is restricted to the 1:00–5:00 AM window on broadcast media, and welcome bonuses are banned outright. AI-driven personalisation of marketing content, CRM campaigns, or promotional offers must operate within these constraints. Systems that dynamically generate or target advertising content carry significant regulatory risk if they circumvent the spirit of these restrictions.
AEPD Enforcement of Automated Profiling
The Spanish Data Protection Agency (AEPD) actively enforces GDPR provisions on automated decision-making and profiling. Any AI system that creates player segments, risk scores, or behavioural profiles must provide clear information to data subjects under Article 13/14, offer meaningful opt-out mechanisms, and conduct Data Protection Impact Assessments (DPIAs) where profiling produces legal or similarly significant effects.
National Self-Exclusion Registry (RGIAJ) Integration
Operators must integrate with Spain's national self-exclusion registry (Registro General de Interdicciones de Acceso al Juego). AI systems used for player reactivation, CRM targeting, or churn prediction must cross-reference RGIAJ data before any outreach. Failure to exclude self-excluded players from automated campaigns is a serious regulatory breach.
EU AI Act High-Risk Classification
Under the EU AI Act, AI systems that evaluate creditworthiness or perform behavioural scoring of natural persons may be classified as high-risk (Annex III). Operators using AI for VIP identification, affordability checks, or vulnerability detection should assess whether their systems fall within high-risk categories, triggering requirements for conformity assessments, technical documentation, human oversight, and post-market monitoring.
Regulatory Sources
Ley 13/2011, de 27 de mayo, de regulacion del juego
Boletín Oficial del Estado (BOE)
Real Decreto 958/2020 — Comunicaciones comerciales de las actividades de juego
Boletín Oficial del Estado (BOE)
DGOJ — Juego Seguro (Official Portal)
Direccion General de Ordenacion del Juego (DGOJ)
AEPD Guide on the Use of AI and Data Protection
Agencia Española de Proteccion de Datos (AEPD)
Regulation (EU) 2024/1689 — EU Artificial Intelligence Act
European Parliament and Council
Frequently Asked Questions
Can AI be used to personalise marketing to Spanish gambling customers?
Only within very tight boundaries. Royal Decree 958/2020 bans welcome bonuses entirely and restricts gambling advertising to the 1:00–5:00 AM broadcast slot. AI-driven personalisation of promotional content is permissible in principle, but any system that targets players with incentives to increase spend, reactivates lapsed players without responsible gambling checks, or circumvents advertising timing restrictions will face enforcement action from the DGOJ.
What GDPR obligations apply to AI player profiling in Spain?
The AEPD enforces GDPR Articles 21 and 22 rigorously. Any AI system that profiles players — whether for segmentation, VIP identification, or risk scoring — must provide transparent information about the logic involved, allow players to object to profiling, and conduct a DPIA before deployment. Automated decisions with legal or significant effects require human review mechanisms.
Does the EU AI Act affect gambling operators in Spain right now?
The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024, with prohibited practices banned from February 2025 and high-risk system obligations phasing in through August 2027. Operators should already be auditing whether their AI systems fall into high-risk categories under Annex III, particularly those involving behavioural scoring or access to essential services. Compliance planning should begin now, even where enforcement dates are future.
How does the Spanish self-exclusion registry affect AI-driven CRM?
All licensed operators must integrate with the RGIAJ (Registro General de Interdicciones de Acceso al Juego). AI systems used for CRM, reactivation, or churn prediction must check RGIAJ status before any player outreach. Sending automated marketing communications to a self-excluded player is a direct regulatory violation that can result in sanctions and licence conditions.
What is the DGOJ's position on AI in responsible gambling tools?
The DGOJ requires operators to implement responsible gambling measures including deposit limits, session alerts, and self-exclusion. AI systems that support these objectives — such as early detection of problem gambling patterns — are generally viewed favourably, provided they are transparent, auditable, and do not process data beyond what is necessary. However, the DGOJ has not published specific AI guidance, so operators should document their approach and be prepared to demonstrate compliance on inspection.
Assess your AI use case in Spain
Check whether your AI use case is low, medium, or high risk under DGOJ regulation — with source-backed guidance.
Start Free AssessmentOperational guidance, not legal advice.