General Data Protection Regulation (GDPR)

This is a forum for discussing privacy abuse. Some bookmakers secretly use insidious tracking techniques on computers and smartphones. The one product most talked about is 'iesnare', which is never specifically mentioned in terms and conditions, but there are plenty of other privacy abuses you may not be happy with. Let everyone know.
Jimmy Justice
Site Admin
Posts: 530
Joined: Wed Jan 13, 2016 9:16 am

Re: General Data Protection Regulation (GDPR)

Post by Jimmy Justice » Tue Jul 31, 2018 9:42 am

Hi,

Thank you for doing all this; impressive commitment.

You've confirmed what a few others have experienced, i.e. bookies make it up as they go along. They quote what appears most convenient to them in each individual case and nothing really to do with what the legislation says. We've had one person quoted a 10 year retention period as his account had been closed for eight years. Only SkyBet has ever been 100% honest in replying to a customer when they actually stated they were refusing to erase data for commercial risk management reasons. I don't know whether this is legal or not.

We've been pressing for a joint meeting with the ICO and GC for many months, I'm pleased to say this meeting is taking place near the end of August where we hope to receive guidance on what are the 'rules' on numerous issues not just erasure and provision of data, e.g. Iovation.

Regarding checking who you are and asking for more documents, we would see this as being reasonable if you haven't used the account for say 6-months or more, but if you've used it recently, it's clear Betstars has traded with you whilst breaking GC guidelines, because they're admitting they didn't know who you were. Concerning being busy, do not accept that. Any SAR has to be provided in 30 days legally, so complain if they don’t do this. Pathetic excuse really from such a large company.

Thanks again and we'll be putting a report on the website about the aforementioned meeting.

JJ

flook
Supporter
Posts: 10
Joined: Mon Jul 16, 2018 4:32 pm

Re: General Data Protection Regulation (GDPR)

Post by flook » Tue Jul 31, 2018 5:20 pm

hills have sent me something which supposedly explains their legal position, havent read it yet, but if its interesting I can pass it along if you wish

dobie2089
Supporter
Posts: 10
Joined: Fri Jul 20, 2018 12:49 am

Re: General Data Protection Regulation (GDPR)

Post by dobie2089 » Wed Aug 01, 2018 2:56 pm

Latest response from the ICO ..now using the money laundering clause as an excuse to hold on to my details . If this money laundering rule is going to be applied to all organisations that you have used a credit or debit card with , then I would suggest the right to erasure part of the GDPR is pointless and basically unenforceable ! game over ?

Case Reference Number RFA0753367

1st August 2018

Dear Mr .......

Thank you for your email of 27 July 2018.

I am sorry that you remain unhappy with our responses to your concerns about Sky Bet’s information rights practices.

As I mentioned in my correspondence, under Article 17 of the General Data Protection Regulation (‘GDPR’) individuals have a new ‘right of erasure’. However, this is not an absolute right and organisations may refuse a request where, for example, there are overriding legitimate grounds for the processing.
When does the right to erasure not apply?
The right to erasure does not apply if processing is necessary for one of the following reasons:
to exercise the right of freedom of expression and information
to comply with a legal obligation
for the performance of a task carried out in the public interest or in the exercise of official authority
for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing
for the establishment, exercise or defence of legal claims.
In this case, Sky Bet explain in their privacy policy "We hold your personal information only as long as we have a valid legal reason to do so, which includes providing you with the services you have requested, meeting our legal and regulatory obligations, resolving disputes and enforcing our agreements”.

Part 4 (40) of the Money Laundering Regulations, says that organisations have a legal duty to keep records for five years after the business relationship ends. More about this can be found by following this link https://www.gov.uk/guidance/money-laund ... quirements
Therefore, we are satisfied that Sky Bet has a legal obligation to retain your data.

We have made our decision in respect of your complaint. If you wish to challenge it then your next step is to request a case review. To do this you should complete and return the form within three months.

Please see our website for further information about our case review procedure:
https://ico.org.uk/concerns/complaints- ... -about-us/ 

Yours sincerely,

Elizabeth Walters

Jimmy Justice
Site Admin
Posts: 530
Joined: Wed Jan 13, 2016 9:16 am

Re: General Data Protection Regulation (GDPR)

Post by Jimmy Justice » Thu Aug 02, 2018 10:45 am

http://www.gamblingcommission.gov.uk/PD ... h-2018.pdf

The above document in our opinion over-rides other government and EU legislation concerning the risk of crime in the gambling industry, so I would suggest, but am willing to be proven wrong, that what Ms Walters is advising you is not accurate. It should become clear why.

1.8 It is imperative that gambling operators comply with the requirements of the Gambling Act 2005 (the Act) and the Licence Conditions and Codes of Practice (LCCP) to ensure that they have effective policies, procedures and controls in place to prevent ML/TF, and continue to raise standards in that regard.
2.3 In transposing the EU 4th Money Laundering Directive (the Directive), HM Government decided to utilise powers provided to member states to exempt gambling sectors which are lower risk in comparison to the wider financial system, for example retail banking, with the exception of non-remote and remote casinos, which could not be exempted.

Have you extensively gambled in their casino? Have you placed sports bets that would suggest money laundering, e.g. with little risk and guaranteed high return of turnover? If not any risk assessment (see later) should have you as a low risk.

2.4 Regulation 17 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the Regulations) places an obligation on supervisory authorities to carry out a risk assessment of their supervised sector. The Commission is the supervisory authority for casinos and this obligation is met by this risk assessment. The Commission will also continue to use this risk assessment to inform HM Government of the level of risk within the entire gambling industry in GB.

The main responsibilities for AML and other crime legislation for gambling actually falls on the GC not companies and the GC has chosen a risk assessment route. There is no mention of 5-years for data retention in this document. In fact, the whole document is about assessing risk, not didactic statements of time or for that matter little else (confirmed 3.7 below).

3.7 Licence condition 12.1.1 requires all operating licensees (with the exception of gaming machines technical and gambling software licensees) to conduct an assessment of the risks of their businesses being used for ML/TF. Licensees must also ensure they have appropriate policies, procedures and controls to prevent ML/TF having regard for their risk assessment. They must ensure that such policies, procedures and controls are implemented effectively, kept under review, revised appropriately to ensure that they remain effective, and take into account any applicable learning or guidelines published by the Commission from time to time.

Finally, the replies we’ve had from different gambling companies generally would suggest that many are lying about these so called time limits, because we’ve seen 5, 6, 7 and 10 years quoted. I think this confirms that the GC as the supervisory authority for crime risk in gambling is NOT dictating any set time period.

dobie2089
Supporter
Posts: 10
Joined: Fri Jul 20, 2018 12:49 am

Re: General Data Protection Regulation (GDPR)

Post by dobie2089 » Thu Aug 02, 2018 5:44 pm

ok ...so I guess the 2 points to take from that JJ are ...1) its an opinion that the gambling commission clauses override any other governmental or E.U. legislation . Are there any instances of judgements that support that idea ?
2) What could be defined as extensive casino play ? I've played a bit in skys casino but surely the term extensive in regards to this is subjective compared to others gameplay .

I am contemplating just filing the complaint and not dealing with this ms Walters character anymore , but the whole process is already starting to drain me of enthusiasm and I don't really want to waste any more of my energy peeing into the wind if the above 2 points are too sketchy for a complaint to be given anymore airtime from them that i have already been afforded .

Be interested in your thoughts going forward

flook
Supporter
Posts: 10
Joined: Mon Jul 16, 2018 4:32 pm

Re: General Data Protection Regulation (GDPR)

Post by flook » Thu Aug 02, 2018 7:17 pm

Extract from 8 page guidance document issued by the Gambling Commission. In the manner of such "guidance" it is both vague and over-wordy. On the subject of right to erasure, it is also disappointingly brief:

Data subject rights
2.10 GDPR gives data subjects certain qualified rights in relation to their data, such as the “right to erasure” and “the right to prevent decisions being made solely based on the automated processing of data”. Data controllers should be aware of these rights, and make an assessment of the circumstances in which they do and do not apply. For example, such rights may not apply where their exercise conflicts with important regulatory objectives (such as the refusal of service to underage gamblers). Relevant considerations here may include:
i. The right to erasure is restricted where processing is still necessary in relation to one of the permitted purposes - for instance, compliance with a legal obligation, performance of a contract, or for the performance of a task carried out in the public interest.
ii. The right to prevent decisions being made solely based on the automated processing of data will not apply:
1. Where decisions are not made solely on this basis i.e. there is some human intervention
2. If the decision making is based on the data subject’s explicit consent
3. If the decision is one which is authorised by law to which the controller is subject.

3.2 Under GDPR, data subjects may request that their personal data (including data which may be relevant to regulatory compliance) is erased. However, this right is not unrestricted. In particular, such requests are unlikely to be valid if retention of the data is still necessary in relation to a lawful purpose

3.4 Based on our experience of investigations to date, licensees should ensure that data which relates in any way to regulatory compliance should be available for a minimum period of five years after the end of a relationship with a customer.

Jimmy Justice
Site Admin
Posts: 530
Joined: Wed Jan 13, 2016 9:16 am

Re: General Data Protection Regulation (GDPR)

Post by Jimmy Justice » Fri Aug 03, 2018 11:00 am

Hi,

I'm chasing some clarification from the GC on everyone's behalf.

You are correct that it's all very vague and that's what the gambling companies play on. Thank you for giving your time and I accept that you may not wish to give more if you feel you're wasting your time. I have to be honest and say, we've wasted hours, more like days with the ICO and GC on this topic and I can't guarantee you will not waste further time, in fact, I think it's highly likely, so please do decide to wait until our meeting has occurred at the end of this month. It's really disappointing to admit this so publicly, but we have yet to see the ICO take any action of note against gambling companies on ANY data issues.

I have no proof for what follows, so it is purely a suspicion, but I think the gambling industry has convinced the relevant regulators that crime and identifying problem gamblers are a massive issue in online gambling, therefore they have been given an unofficial 'long rein' on what they can and cannot do data wise. Of course this is totally unacceptable, especially as there is little evidence that the industry uses privacy processes to identify problem gamblers, in fact, quite the contrary based on the evidence we have. The UK government also rates gambling as low risk for money laundering.

Anyway, that's where we are as honestly as I can tell you, we should know much more at the end of this month.

JJ

dobie2089
Supporter
Posts: 10
Joined: Fri Jul 20, 2018 12:49 am

Re: General Data Protection Regulation (GDPR)

Post by dobie2089 » Fri Aug 03, 2018 8:51 pm

Ok JJ thanks for the honest reply , I will wait to see what comes out of the meeting at the end of this month and then see if i cba to battle them any more ..cheers

flook
Supporter
Posts: 10
Joined: Mon Jul 16, 2018 4:32 pm

Re: General Data Protection Regulation (GDPR)

Post by flook » Tue Aug 07, 2018 4:57 pm

Pretty much my conclusion too, also had a response from the ICO, which advises ladbrokes have complied with their obligations as they have closed my account. No mention whatsoever of erasure of data, so I've written back raising the point specifically

It is a waste of time, but in the odd moments I'm doing nothing it entertains me to play their game

Jimmy Justice
Site Admin
Posts: 530
Joined: Wed Jan 13, 2016 9:16 am

Re: General Data Protection Regulation (GDPR)

Post by Jimmy Justice » Wed Aug 08, 2018 8:51 am

It's really disappointing to here this again. Don't worry we'll not be taking a back-step when we meet with them at the end of this month.

JJ

Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 1 guest