This complaint concerned the processing of the complainant’s personal data in the form of a still image from CCTV footage taken in a betting shop, by distributing that image to various betting shops in the chain with a warning note to staff in order to prevent the complainant from placing bets.

The Commission determined that the betting shop was the data controller because it controlled and processed the personal data in question. The data were (amongst other things) an image of the complainant and internal notes circulated to staff of the data controller about the complainant. The data were personal data because they related to the complainant as an individual and the complainant could be identified from the data.

In response to the complaint, the data controller put forward a number of reasons for processing the complainant’s personal data and sought to argue that there was a valid legal basis for each purpose, as provided for in data protection legislation. The reasons and corresponding legal bases presented by the data controller included the following:

1. Legal and Regulatory Obligations: The data controller argued that it is required to retain and use personal data in order to comply with certain legal and regulatory obligations, such as to detect suspicious betting activity and fraudulent transactions under applicable criminal justice legislation. The legal basis put forward by the data controller was that the processing was lawful because it was necessary for the data controller to comply with a legal obligation.
2. Risk Management: The data controller claimed that it records personal data relating to customers for commercial risk management. The legal basis put forward in this regard was that the processing was lawful because it was necessary for the purposes of the legitimate interests pursued by the data controller.
3. Profiling: The data controller confirmed that it carries out profiling of customer betting activity to (amongst other things) improve customer experience. The data controller argued that such processing is lawful as it is necessary for compliance with legal obligations and for the purposes of the legitimate interests pursued by the data controller.

The Commission decided that the data controller had identified an appropriate lawful basis for each purpose for which it processed personal data relating to its customers. The Commission then considered whether the obligation to process personal data fairly had been complied with by the data controller. In this context, the Commission noted that the data controller is obliged to provide the complainant with information in relation to the key elements of the collection and use of the complainant’s personal data. The data controller here had provided the complainant with an internal company document and confirmed that the complainant’s personal data had been processed in accordance with this document. However, the document was dated after the date on which the complainant’s personal data was processed. On this basis, the Commission noted that it was not clear that the required information had been provided to the complainant and therefore the data controller had failed to process the complainant’s personal data fairly.

Finally the Commission considered the period of time the personal data had been retained for. In this regard, it noted that the relevant legislation requires that a data controller keep personal data for no longer than is necessary for the purposes for which the data are processed. The complainant’s personal data had been kept for approximately seven years. The Commission considered that because the data controller had a legitimate interest in retaining the complainant’s data (for commercial risk management), the data controller had acted in accordance with the legislation in this regard.