Casino Industry Myths: The General Data Protection Regulation ("GDPR")

Some readers may remember an article I wrote a few years ago entitled Casino Industry Myths - The Data Protection Act (DPA) wherein I wrote of the widespread misinterpretation and/or misuse of the DPA by casinos to stifle discussions related to player complaints. The common claim then was that they were "protecting the consumer" and that that meant the door to discussing anything related to that consumer was well and firmly closed. In other words casinos were using it as a free pass to ignore player complaints.

The problem was that it was all 100% BS. As ("The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals") had pointed out, the DPA was not intended to be used as an impediment to a third-party's involvement in dispute arbitration. Where that third-party had been properly authorized by the player to speak on their behalf such involvement was perfectly legal and legitimate.

Well, here we are three years on with a new set of data protection laws, the GDPR. And unfortunately we're pretty much right back where we started in that the GDPR is now being abused in the same way the DPA was then. "Can't discuss details because of GDPR" and "GDPR/legal obligations does not allow us to discuss details" and so forth. To be blunt this is very much a "same shit different day" situation: casinos are through ignorance or intent misusing the GDPR to inhibit discussion of player complaints whether the player provides explicit authorization for that discussion or not.

I'd love to be able to point to ICO, or somesuch, and debunk this round of abuse of the data protection laws as efficiently as we did last time. Unfortunately that's not possible yet because ICO hasn't issued any such statement regarding the GDPR in relation to dispute arbitration nor has any other prominent organization, as far as I know.

What I have seen is
You do not have permission to view link Log in or register now.
(Chartered Institute of Arbitrators) wherein matters related to the above are discussed. For the purposes of the following note that a Data Subject (for us, "the player") is a person whose data is held by a Data Controller (for us, "the casino") and the Data Protection Officer (aka DPO) is the person within the Data Controller's organization who is responsible for GDPR compliance:

The designation, position and tasks of the Data Protection Officer (“DPO”) are covered under Articles 37-39. Under Article 38, the Data subject may contact the DPO if there are issues related to processing of their personal data and Article 4(2) provides that “Processing means any operation or set of operations which is performed on personal data or set of personal data, whether or not by automated means, such as...disclosure by transmission....” In an arbitral proceeding, an issue by a Data subject requires disclosure. This disclosure obligations falls within the purview of the GDPR and is necessary for the purposes of legitimate interests of both the data controller and data subject.

In other words the player contacts the DPO at the casino, explicitly requests that their data be disclosed to the arbiter they designate (us, for example) and the DPO then forwards the necessary data.

Unfortunately that's as good as it gets, for now. Per the GDPR the DPO is allowed to take up to two months to respond and there's no guidance at this time (AFAIK) as to how forthcoming regarding the player's complaint they need to be. They could simply supply the player's registration details and nothing more. Obviously that's not going to be very helpful when it comes to resolving a dispute.

As with most situations of this nature players can expect that some casinos will have no problem discussing their complaint with the arbiter of their choice and, for the time being, other casinos will continue to use the GDPR as an impediment to any such discussion.

Sadly the list of casinos opting to join the latter group is depressingly long and those casinos are likely to continue their non-cooperative ways until someone with clout shows them they can't. For now ADRs like us are left with little choice but to try convincing reluctant casinos to respect the player's wishes and flag incidents of non-cooperation as effectively as we can. Cold comfort for the players but so it is for the time being.

Addendum: as many of you know
You do not have permission to view link Log in or register now.
is at least as active in the area of player complaints as we are. He had some very salient thoughts on the above:
I would have focused on the parts of the legislation that facilitate the interaction ...

The Legal Basis covered in the GDPR provide two clear roads for operators to engage (in discussion regarding a player):

- Legitimate Interest (which I have received feedback from the ICO is the correct selection in this case), and
- Consent

The latter has some interpretation - i.e. there is scope for the operator to define what is reasonable demonstration that the customer has given their consent ...

An excellent suggestion and one I would have followed except that I find that operators won't generally engage in the discussion at that level. To make a long story short I find that if they can avoid discussing details with you then they will. In other words it's exceedingly difficult to get to the point in the conversation where those points can be brought to bear, usually they'll simply avoid it as long as they can.

The point about a judgement ruling from ICO, or whomever, is that that adds some gravitas to discussion with the operator. Specifically it helps them understand that avoiding the discussion entirely may no longer be an option for them. That is certainly what we saw in regards to the ICO notice re the DPA: before it most casinos ignored our protests that they were abusing the DPA, with it out there and in the open most operators changed their approach either towards cooperation or simply slamming the door completely shut and bringing their legal teams forward to keep it shut.

So to put it another way, I find there often needs to be a stick in the picture (something "official" that shows them to be in violation of the law's intent) before they'll see the carrot. Whether they'll suddenly develop an appetite for carrots or not is another matter.
Last edited:
I think when player submit complaint with any of the ADR's he give his 'yes' for both ADR and casino to share his information? That's the point of ADR, no?


I think when player submit complaint with any of the ADR's he give his 'yes' for both ADR and casino to share his information?

True, but that is usually only relevant where the casino has a desire to engage with the ADR, and that is usually only true with the ADR that they may have selected (IBAS, eCOGRA, etc). If the player goes to an ADR/third-party other than who they've selected they are usually determined to ignore the issue entirely and for as long as possible. Casinos tend to behave as if player consent has no bearing in that case, when in fact there is nothing in the GDPR giving them leave to make that call.

That said, I'm perfectly aware that the UKGC _does_ give operators leave to ignore anyone with a player issue who isn't their designated ADR. But the GDPR is not UK legislation, it is EU legislation and that changes things quite considerably.
Last edited:
Here's an interesting article from ThePogg on the whole "un-approved ADR" thing:
You do not have permission to view link Log in or register now.

A wee excerpt to encourage anyone interested to read the article in full:
Recently it has been brought to our attention that some operators have been using their UKGC license as grounds to refuse to discuss complaints with anyone other than their selected Alternative Dispute Resolution (ADR) service..., suggesting that the UKGC are aggressively against operators talking to anyone else. So are operators correct? Is this a case where the regulator are actually restricting the manner in which players can address their problems with operators? The answer is “No” and this is just another example (see our article –
You do not have permission to view link Log in or register now.
) of gambling operators taking an aggressively protectionist interpretation of the rules and using the general lack of understanding of the rules to make a player unfriendly internal policy seem more authoritative and legitimate.
Last edited:
What is the position if an accredited casino refuses to engage with a PAB citing the GDPR as a reason? Will they be grey zoned or rogued?
If they use a made up reason not to engage then surely they shouldn't stay accredited?
These days if you start making too much noise or complaining they just see you as a problem gambler and suspend your account
What is the position if an accredited casino refuses to engage with a PAB citing the GDPR as a reason? Will they be grey zoned or rogued?
If they use a made up reason not to engage then surely they shouldn't stay accredited?
Of course it's a bit of a disgrace that I haven't seen this and responded to it sooner but there's no doubt that a situation like that would be a problem. Fortunately the days of casinos using the GDPR as an excuse to not discuss a player's issue are largely behind us. In the bad old days, around the time I posted this thread, we were seeing this come up pretty much every day of the week, often more than once a day. Now -- yes, almost 4 years later -- we might see it every few months or so, usually less.

I'm well aware that this response comes too late for it to be of any use to Colin. He is missed.

- Max

Users who are viewing this thread

Meister Ratings