What follows is our case against those who would misuse the GDPR for their own ends and our reasons for creating a new GDPR Violators blacklist.
As many readers will know consumer data protection has been a growing issue over recent years culminating with last years's GDPR (General Data Protection Rules) introduced and implemented across the EU. There is no question that legislation like the GDPR, and the DPA (Data Protection Act) that preceded it, is necessary and appropriate in today's increasingly online-oriented world. The reports of user data abuse that have peppered the news this past year or so are more than sufficient proof of that. The GDPR has quickly come to be considered the "gold standard" for consumer data protection and, for example, has been adopted wholesale by the UK in spite of the forthcoming Brexit departure.
Given that the GDPR is already with us the current and ongoing phase is implementation. And it's here that we encounter an old problem: casinos using the GDPR as an excuse to refuse to discuss player issues.
The argument the casinos give -- such as it is -- is simply this: "can't discuss player's complaint because of GDPR". My thesis today is that there are two important parts to that statement. The first part is "can't discuss" and to some extent we and others have covered this earlier in the year. See for example ThePogg's "
The salient point in those previous articles is that there are clauses within the GDPR that demonstrate why a casino should discuss a player's complaint with an ADR of the player's choice but there is nothing compelling the casino to do anything: in the end it's the casino's choice whether they wish to respect the player's wishes regarding arbitration.
The second part of "can't discuss ... because of the GDPR" is the "because" bit. Here the claim is being made that the GDPR somehow bars a casino from discussing anything related to one of their customers. The idea, apparently, is that in order to protect the consumer's data rights per the GDPR the casino cannot enter into a discussion about that consumer in any way, shape or form. My primary goal in this article is to show that that is blatantly false, and in fact any casino that does so is itself violating both the spirit and letter of the GDPR.
Before we proceed we need to cite the definition of a few of the key terms that are used throughout the GDPR legislation. These terms are defined up front in the GDPR -- "
For the purposes of the following discussion players who submit complaints are the "data subjects" while casinos and ADRs are "data controllers" although they clearly use the player's data for different reasons.
The Right to Data Portability
Chapter III of the GDPR lays out the "Rights of the data subject" including the "Right of Access", the "Right of Rectification" and so forth. Particularly relevant to our subject here is
It is worth noting that there is an addendum to Article 20 -- the GDPR calls these addendums "Recitals" -- called "
So the bottom line is that "can't discuss ... because of the GDPR" is simply false. At best it is a misreading of the GDPR, but given the clarity of the language used in the Right to Data Portability that's not much of an excuse.
The Right of Access: Subject Access Requests (SARs)
In our experience a casino will sometimes choose to classify a player's request for arbitration as a "Subject Access Request". In the GDPR this is covered in
The controller is expected to respond within 30 days.
The significance of classifying a request for arbitration as a SAR is that the casino is assuming the player is simply requesting all the applicable data on the player that the casino holds and nothing more. That's a fairly gross misinterpretation of what dispute arbitration is or should be. A cynic might conclude that is not an accident.
For the purposes of our discussion here it is again obvious that the GDPR does not intend to prohibit access to consumer data: a clear path to the data is defined, the scope and procedures are specified.
Appointing a Representative
In this context "a properly appointed representative" is taken to mean a body that can provide or can ask the data subject to provide:
Again, clearly, the GDPR is not a barrier to proceeding. As far as ICO is concerned provisions for having a representative act on a data subject's behalf are expected if not explicitly stated.
Conclusion
So there it is, "can't discuss because of the GDPR" is an unfounded and unlawful claim and any casino that says that is violating the GDPR. Recent cases have shown that GDPR violations are being taken seriously; see ICO's
References
As many readers will know consumer data protection has been a growing issue over recent years culminating with last years's GDPR (General Data Protection Rules) introduced and implemented across the EU. There is no question that legislation like the GDPR, and the DPA (Data Protection Act) that preceded it, is necessary and appropriate in today's increasingly online-oriented world. The reports of user data abuse that have peppered the news this past year or so are more than sufficient proof of that. The GDPR has quickly come to be considered the "gold standard" for consumer data protection and, for example, has been adopted wholesale by the UK in spite of the forthcoming Brexit departure.
Given that the GDPR is already with us the current and ongoing phase is implementation. And it's here that we encounter an old problem: casinos using the GDPR as an excuse to refuse to discuss player issues.
The argument the casinos give -- such as it is -- is simply this: "can't discuss player's complaint because of GDPR". My thesis today is that there are two important parts to that statement. The first part is "can't discuss" and to some extent we and others have covered this earlier in the year. See for example ThePogg's "
You do not have permission to view link
Log in or register now.
" and our own "Casino Industry Myths: The GDPR".The salient point in those previous articles is that there are clauses within the GDPR that demonstrate why a casino should discuss a player's complaint with an ADR of the player's choice but there is nothing compelling the casino to do anything: in the end it's the casino's choice whether they wish to respect the player's wishes regarding arbitration.
The second part of "can't discuss ... because of the GDPR" is the "because" bit. Here the claim is being made that the GDPR somehow bars a casino from discussing anything related to one of their customers. The idea, apparently, is that in order to protect the consumer's data rights per the GDPR the casino cannot enter into a discussion about that consumer in any way, shape or form. My primary goal in this article is to show that that is blatantly false, and in fact any casino that does so is itself violating both the spirit and letter of the GDPR.
Before we proceed we need to cite the definition of a few of the key terms that are used throughout the GDPR legislation. These terms are defined up front in the GDPR -- "
You do not have permission to view link
Log in or register now.
" -- and are then used throughout as short-hand to discuss the various aspects of the new law:'data subject': an identifiable natural person ... who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier ....
'data controller': the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data ....
'consent': any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
For the purposes of the following discussion players who submit complaints are the "data subjects" while casinos and ADRs are "data controllers" although they clearly use the player's data for different reasons.
The Right to Data Portability
Chapter III of the GDPR lays out the "Rights of the data subject" including the "Right of Access", the "Right of Rectification" and so forth. Particularly relevant to our subject here is
You do not have permission to view link
Log in or register now.
, the "Right to Data Portability":- The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided ...
- In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another ..."
It is worth noting that there is an addendum to Article 20 -- the GDPR calls these addendums "Recitals" -- called "
You do not have permission to view link
Log in or register now.
" which includes the following statement:"... That right [the Right of Data Portability] should apply where the data subject provided the personal data on the basis of his or her consent ..."
This is significant because there are a few special circumstances in which the Right to Data Portability is restricted but the GDPR has made it clear that those do not apply where the data subject has provided their data by consent, namely by registering at a casino.So the bottom line is that "can't discuss ... because of the GDPR" is simply false. At best it is a misreading of the GDPR, but given the clarity of the language used in the Right to Data Portability that's not much of an excuse.
The Right of Access: Subject Access Requests (SARs)
In our experience a casino will sometimes choose to classify a player's request for arbitration as a "Subject Access Request". In the GDPR this is covered in
You do not have permission to view link
Log in or register now.
, and the bottom line is:"The controller shall provide a copy of the personal data undergoing processing."
The controller is expected to respond within 30 days.
The significance of classifying a request for arbitration as a SAR is that the casino is assuming the player is simply requesting all the applicable data on the player that the casino holds and nothing more. That's a fairly gross misinterpretation of what dispute arbitration is or should be. A cynic might conclude that is not an accident.
For the purposes of our discussion here it is again obvious that the GDPR does not intend to prohibit access to consumer data: a clear path to the data is defined, the scope and procedures are specified.
Appointing a Representative
"The GDPR does not give you any specific rights to appoint someone to act for you when dealing with an organisation that is processing your personal data. However, in most circumstances we would expect organisations to allow you to exercise your data protection rights ... through a properly appointed representative if you want this."
You do not have permission to view link
Log in or register now.
,"The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals."In this context "a properly appointed representative" is taken to mean a body that can provide or can ask the data subject to provide:
- proof that you have given your representative authority to exercise your data protection rights, or make a complaint, for you (such as a letter giving them your authority), and
- proof of your identity.
Again, clearly, the GDPR is not a barrier to proceeding. As far as ICO is concerned provisions for having a representative act on a data subject's behalf are expected if not explicitly stated.
Conclusion
So there it is, "can't discuss because of the GDPR" is an unfounded and unlawful claim and any casino that says that is violating the GDPR. Recent cases have shown that GDPR violations are being taken seriously; see ICO's
You do not have permission to view link
Log in or register now.
listing for example. As such casinos that we know first hand are doing so will henceforth be added to our (new) GDPR Violators blacklist.References
You do not have permission to view link
Log in or register now.
You do not have permission to view link
Log in or register now.
You do not have permission to view link
Log in or register now.
You do not have permission to view link
Log in or register now.
You do not have permission to view link
Log in or register now.
Last edited:
