An individual opened an online account with a bookmaker and deposited a sum of money to their account. Having attempted to download the application (‘app’) associated with the service, the individual quickly realised that the app was not compatible with their mobile phone. The following day the individual submitted an erasure request under Article 17 of GDPR to the bookmaker. The bookmaker refused to comply with the erasure request, stating that it had legal obligations to retain the personal data as a deposit and withdrawal of funds had taken place on the account, thus making them a ‘customer’. The individual was dissatisfied with this response as they did not agree that they were a ‘customer’ of the bookmaker, as they did not place any bets through the account, either online or through the app.

Following engagement with the DPC, the bookmaker advised that it could not erase the individual’s personal data as it was subject to Anti-Money Laundering legislation, under the Criminal Justice (Money Laundering and Terrorist Financing Acts 2010, which became applicable when the deposit and withdrawal of funds were made on the individual’s account.

The bookmaker outlined to the DPC that although it was legally obliged to retain the individual’s personal data it only retains the minimum amount that is necessary to fulfil this legal obligation in line with the principle of data minimisation as set out in Article 5(1)(c) of the GDPR.

Following its examination of the complaint, the DPC found that while the organisation had demonstrated a valid lawful basis for the ongoing retention of the personal data, the DPC issued recommendations to the organisation on its obligations to ensure that all processing is lawful and fair and that it is transparent about its processing activities.