Email or letter to ask for deletion of personal data
ENTER BOOKMAKER’s NAME
Google will inform for a postal address and the privacy policies of each company should provide an email address.
From the first week of July 2018 this url: https://ico.org.uk/about-the-ico/what-we-do/register-of-fee-payers/ should contain the details you need for the above.
Re: General Data Protection Regulation (ENTER USERNAME)
Having been notified that my account is subject to stake restrictions and no longer qualifies for Best Odds Guaranteed or other customer offers, I write today to instruct you to close my account and remove all data which you hold on me in relation to this account.
By restricting my account to the point it is unusable, it is clear to me that you no longer wish to have me as your customer. While I recognise your right to do business with whom you choose, I will exercise my right to take my future business elsewhere. As we will no longer be transacting, nor have any future relationship of any kind, then you have no reason to retain my personal data.
You will be aware that the EU General Data Protection Regulation (GDPR) came into effect in the UK on May 25th 2018, and that the UK has adopted the same principles since Brexit.
This email/letter (delete as applicable) serves as a formal request for erasure of personal data held about me in accordance with Article 17(1) GDPR.
Please erase all personal data concerning me as defined by Article 4(1) GDPR.
If I have given consent to the processing of my personal data (e.g. according to Article 6(1) or Article 9(2) GDPR), I am hereby withdrawing said consent.
In addition, I am objecting to the processing of personal data concerning me (which includes profiling), according to Article 21 GDPR.
In case you have disclosed my personal data to third parties, you have to communicate my request for erasure of the affected personal data, as well as any references to it, to each recipient as laid down in Article 19 GDPR. Please also inform me about those recipients.
The European Union defines personal data widely, including IP addresses. The UK’s Information Commissioner’s Office has ruled that e-device data becomes personal data when it is combined with other personal data, e.g. a home and/or email addresses. I am of the understanding that ENTER BOOKMAKER NAME does combine e-device data with other personal data when profiling customers, therefore “all data held” will include e-device data held by ENTER BOOKMAKER NAME and all third parties, e.g. iovation and/or Threatmetrix.
In case you are of the mistaken belief that your business is somehow exempt from the aforementioned regulations, or that the continued processing of my personal data is somehow necessary, despite our customer/supplier relationship coming to an end, I would refer you to the following advice previously provided by the Remote Gambling Association;
“55. Customers have the right to have their data ‘erased’ in certain specified situations. This is in essence where the processing fails to satisfy the requirements of the GDPR. Where customers seek to exercise these rights, data controllers must respond without undue delay (and in any event within one month). This period can be extended in difficult cases, but data controllers would need to demonstrate their justification for relying on the extension provision.”
In my opinion “certain specified situations” in the case of gambling companies appears to mean any situation except where a person has self-excluded or is suspected of crime. I am aware of reports that some bookmakers are refusing erasure of data to many, if not all, customers using various “excuses”. I wish to make it clear that I will not accept “excuses”; only clear, correctly referenced legal arguments if you are to attempt to avoid your legal obligations, and deny to me the rights afforded under GDPR Chapter 3, Articles 12-23.
I would also like you to note that I will take any routes open to me to obtain those rights if you do try to deny them, including seeking redress via the methods and mechanisms defined in Article 77(1) GDPR and Article 79 GDPR.
My request explicitly includes any other services and companies for which you are the controller as defined by Article 4(7) GDPR.
As laid down in Article 12(3) GDPR, you have to confirm the erasure to me without undue delay and in any event within one month of receipt of the request.
To avoid unnecessary administration or further correspondence, I am including the following information which will help you to identify records pertaining to me: (ENTER)
- Full name
- Date of birth
- Email address
- Account number/name
- +Whatever you feel is appropriate – remember your address is at the top of the letter and your full name at the bottom
If you do not answer my request within the stated period, I am reserving the right to take legal action against you and to lodge complaints with responsible supervisory authorities, including the Gambling Commission and the Information Commissioner’s Office.
ENTER NAME (ENTER USERNAME)
ps: Even though it is clear that I’m not requesting closure of my account for social responsibility reasons, i.e. this is NOT a request for self-exclusion; I would like to reconfirm this point here.
Despite this template and J4P’s explanation of how GDPR works (https://justiceforpunters.org/other-punter-injustices/general-data-protection-regulation-gdpr/) gambling companies are flatly refusing to delete personal data and the regulator has done nothing about this despite this practice often being in breach of law.
Legally, it’s pretty clear that personal data should not be retained for longer than five years and in some cases 2-3 years. However, unless an ex-customer is absolutely desperate for data deletion there is little point unless the customer is willing to take their case up with the Information Commissioner’s Office if the gambling company refuses deletion. It is up to gambling customers to make it clear that their data rights are being compromised.
This may change at any time.