Malta’s data protection commissioner has warned Malta-licensed operators that they should not ignore requests for personal data, in a move apparently linked to German and Austrian gamblers seeking their transaction history as part of attempts to reclaim losses.
The Information and Data Protection Commissioner recently wrote to the data protection officers of Malta Gaming Authority-licensed operators, noting that it had received a rise in the number of complaints from German and Austrian citizens.
Those citizens complained that the operators had ignored, or not properly fulfilled, subject access requests under European Union's General Data Protection Regulation (GDPR), said Patrick Massa, a lawyer with Malta-based WH Partners.
The claims appear to relate to the tens of millions of euros that online casino companies have already been forced to pay in claims for online casino losses, mostly in Austria, where the Supreme Court has upheld the Austrian online casino monopoly, win2day, and said that reimbursements of losses are appropriate.
German gamblers have also made such claims in court, based on the fact that online casinos were not legally allowed nationwide until July 2021.
Litigation finance companies in Austria have pressed the claims in Malta, where many of the operators are based.
The data protection commissioner told gambling company officials that “data subjects” are not required to state any purpose when requesting their personal data, according to Massa.
Violations related to the fulfilment of subject access requests carry a fine of up to €20m, or 4 percent of worldwide turnover, the commissioner told gambling executives.
The data regulator is reminding companies “they need to make sure they do not move away from their obligations under GDPR” and that it does not matter why a person is making a request for their own data, Massa told VIXIO GamblingCompliance.
Vienna-based attorney Arthur Stadler said that requests for personal data are typically the first step that former customers of gambling companies make before filing a lawsuit against the company.
He said that there are limits on requests for information under GDPR laws, such as requests that are “obviously unfounded or excessive”.
“These must be assessed in each individual case,” he said.
A spokesman for the Malta data protection office would not comment on its statement, saying it was “specifically addressed to data protection officers of online gambling operators established in Malta and not intended for dissemination with any other third party”.