Who are the GDPR violators?

maxd

Complaints (PAB) Manager
Staff member
Joined
Jan 20, 2004
Location
Saltirelandia
What follows is our case against those who would misuse the GDPR for their own ends and our reasons for creating a new GDPR Violators blacklist.

As many readers will know consumer data protection has been a growing issue over recent years culminating with last years's GDPR (General Data Protection Rules) introduced and implemented across the EU. There is no question that legislation like the GDPR, and the DPA (Data Protection Act) that preceded it, is necessary and appropriate in today's increasingly online-oriented world. The reports of user data abuse that have peppered the news this past year or so are more than sufficient proof of that. The GDPR has quickly come to be considered the "gold standard" for consumer data protection and, for example, has been adopted wholesale by the UK in spite of the forthcoming Brexit departure.

Given that the GDPR is already with us the current and ongoing phase is implementation. And it's here that we encounter an old problem: casinos using the GDPR as an excuse to refuse to discuss player issues.

The argument the casinos give -- such as it is -- is simply this: "can't discuss player's complaint because of GDPR". My thesis today is that there are two important parts to that statement. The first part is "can't discuss" and to some extent we and others have covered this earlier in the year. See for example ThePogg's "
You do not have permission to view link Log in or register now.
" and our own "Casino Industry Myths: The GDPR".

The salient point in those previous articles is that there are clauses within the GDPR that demonstrate why a casino should discuss a player's complaint with an ADR of the player's choice but there is nothing compelling the casino to do anything: in the end it's the casino's choice whether they wish to respect the player's wishes regarding arbitration.

The second part of "can't discuss ... because of the GDPR" is the "because" bit. Here the claim is being made that the GDPR somehow bars a casino from discussing anything related to one of their customers. The idea, apparently, is that in order to protect the consumer's data rights per the GDPR the casino cannot enter into a discussion about that consumer in any way, shape or form. My primary goal in this article is to show that that is blatantly false, and in fact any casino that does so is itself violating both the spirit and letter of the GDPR.

Before we proceed we need to cite the definition of a few of the key terms that are used throughout the GDPR legislation. These terms are defined up front in the GDPR -- "
You do not have permission to view link Log in or register now.
" -- and are then used throughout as short-hand to discuss the various aspects of the new law:

'data subject': an identifiable natural person ... who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier ....​
'data controller': the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data ....​
'consent': any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.​

For the purposes of the following discussion players who submit complaints are the "data subjects" while casinos and ADRs are "data controllers" although they clearly use the player's data for different reasons.

The Right to Data Portability

Chapter III of the GDPR lays out the "Rights of the data subject" including the "Right of Access", the "Right of Rectification" and so forth. Particularly relevant to our subject here is
You do not have permission to view link Log in or register now.
, the "Right to Data Portability":
  1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided ...
  2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another ..."
Clearly the GDPR does not intend for the consumer's data to be restricted to one data controller in preference or exclusion over other data controllers assuming the consumer wishes that data to be so moved. In the scenario we're discussing here the player with a complaint has the right per Article 20 of the GDPR to have their data transferred from the casino about which they have filed a complaint to an ADR that is processing that complaint at their request and on their behalf. Any casino that denies the player that right, assuming an appropriate request is given, is in violation of the GDPR.

It is worth noting that there is an addendum to Article 20 -- the GDPR calls these addendums "Recitals" -- called "
You do not have permission to view link Log in or register now.
" which includes the following statement:
"... That right [the Right of Data Portability] should apply where the data subject provided the personal data on the basis of his or her consent ..."​
This is significant because there are a few special circumstances in which the Right to Data Portability is restricted but the GDPR has made it clear that those do not apply where the data subject has provided their data by consent, namely by registering at a casino.

So the bottom line is that "can't discuss ... because of the GDPR" is simply false. At best it is a misreading of the GDPR, but given the clarity of the language used in the Right to Data Portability that's not much of an excuse.

The Right of Access: Subject Access Requests (SARs)

In our experience a casino will sometimes choose to classify a player's request for arbitration as a "Subject Access Request". In the GDPR this is covered in
You do not have permission to view link Log in or register now.
, and the bottom line is:

"The controller shall provide a copy of the personal data undergoing processing."​

The controller is expected to respond within 30 days.

The significance of classifying a request for arbitration as a SAR is that the casino is assuming the player is simply requesting all the applicable data on the player that the casino holds and nothing more. That's a fairly gross misinterpretation of what dispute arbitration is or should be. A cynic might conclude that is not an accident.

For the purposes of our discussion here it is again obvious that the GDPR does not intend to prohibit access to consumer data: a clear path to the data is defined, the scope and procedures are specified.

Appointing a Representative
"The GDPR does not give you any specific rights to appoint someone to act for you when dealing with an organisation that is processing your personal data. However, in most circumstances we would expect organisations to allow you to exercise your data protection rights ... through a properly appointed representative if you want this."​

You do not have permission to view link Log in or register now.
,"The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals."

In this context "a properly appointed representative" is taken to mean a body that can provide or can ask the data subject to provide:
  • proof that you have given your representative authority to exercise your data protection rights, or make a complaint, for you (such as a letter giving them your authority), and
  • proof of your identity.

Again, clearly, the GDPR is not a barrier to proceeding. As far as ICO is concerned provisions for having a representative act on a data subject's behalf are expected if not explicitly stated.

Conclusion

So there it is, "can't discuss because of the GDPR" is an unfounded and unlawful claim and any casino that says that is violating the GDPR. Recent cases have shown that GDPR violations are being taken seriously; see ICO's
You do not have permission to view link Log in or register now.
listing for example. As such casinos that we know first hand are doing so will henceforth be added to our (new) GDPR Violators blacklist.

References

You do not have permission to view link Log in or register now.

You do not have permission to view link Log in or register now.

You do not have permission to view link Log in or register now.

You do not have permission to view link Log in or register now.

You do not have permission to view link Log in or register now.
 
Last edited:

EkJR

Senior Member
MM
Joined
Feb 3, 2018
Location
Glasgow
Well, I got another players 3rd line complaint and response from Casinoland sent to me by email which I reported to the ICO. They have done absolutely nothing about it. That was a year ago now! GDPR is just another pishy gimmick to make the people that wrote it seem important.
 

maxd

Complaints (PAB) Manager
Staff member
Joined
Jan 20, 2004
Location
Saltirelandia
I can understand your frustration but I can't agree. The GDPR is a serious piece of work and a real game-changer in terms of consumer data rights.

Having dealt directly and indirectly with a fair number of GDPR-related cases my experience has been that it is broad and powerful. It's also full of holes. Time will tell whether the EU does the work to evolve and improve it, or let's it rot on the very ground it tried to level.
 

EkJR

Senior Member
MM
Joined
Feb 3, 2018
Location
Glasgow
I can understand your frustration but I can't agree. The GDPR is a serious piece of work and a real game-changer in terms of consumer data rights.

Having dealt directly and indirectly with a fair number of GDPR-related cases my experience has been that it is broad and powerful. It's also full of holes. Time will tell whether the EU does the work to evolve and improve it, or let's it rot on the very ground it tried to level.

I agree with the principles of it of course, but I see it more as an enhancement to rules which were already in place than a brand new standard. Just my opinion.

Definitely get the operators named and shamed though!
 

maxd

Complaints (PAB) Manager
Staff member
Joined
Jan 20, 2004
Location
Saltirelandia
... I see it more as an enhancement to rules which were already in place ...

Very much so, but in many areas it does go quite a bit further.
Also the GDPR itself says that it fully replaces and displaces the old legislation -- the DPA -- so either way we're stuck with it.
 

Flip67

Newbie member
PABnononaccred
Joined
Jun 26, 2019
Location
Canada
So really what does that mean for players like myself? Who won money fairly. To have it stolen by the casino. To have them refuse arbitration and close your acct.
 

maxd

Complaints (PAB) Manager
Staff member
Joined
Jan 20, 2004
Location
Saltirelandia
Top