Understanding the “Right to Be Forgotten” (UK and EU GDPR Basics)
The Right to Be Forgotten – formally known as the right to erasure under GDPR – gives individuals the power to request deletion of their personal data held by organisations. In practice, this means you can ask an online casino (or any company) to erase information they hold about you, such as your account details and play history. Both the EU’s GDPR and the UK’s post-Brexit data law (often called “UK GDPR”, mirroring GDPR) include this right. Article 17 of GDPR spells out that you have the right to have personal data erased without undue delay when certain grounds apply – for example, if the data is no longer necessary for the purpose it was collected, or if you withdraw consent and there’s no other legal reason to keep it. Importantly, the UK law is essentially equivalent, so whether you’re a player in London or Amsterdam, the core principles are the same.
However, the right to erasure is not absolute. GDPR and UK law carve out specific exceptions where an organisation can refuse your deletion request. For instance, companies can deny erasing data if they must keep it to comply with a legal obligation – a scenario very relevant to online gambling, as we’ll see. They can also refuse if the data is needed to exercise or defend legal claims, to support freedom of expression, or for certain public interest reasons. In short, you can ask a casino to erase your data, but the casino might lawfully keep some data if required to do so.
How the Right Applies to Online Casinos in the UK and the Netherlands
Online casinos operating in the UK and the Netherlands are subject to strict data protection rules. These operators are considered “data controllers” under GDPR/UK GDPR, which means they must handle your personal data fairly, securely, and transparently. A reputable, licensed casino in either jurisdiction will have a clear privacy policy explaining how it uses your data and how you can exercise your rights. In both the UK’s regulated market (the London gaming market and beyond) and the Dutch market, gambling companies must allow players to request data deletion and other GDPR rights.
That said, gambling operators also have additional laws and regulations to follow. Licensed casinos are bound by anti-money laundering (AML) and gambling regulations, which, in practice, limit how completely they can “forget” you. For example, UK gambling operators are required by law to retain certain records for at least five years after your account is closed. This includes identification details and transaction histories collected for AML compliance. The Netherlands has similar requirements: for instance, Holland Casino’s policy states it keeps data required by the Dutch gambling law (Wet op de Kansspelen) and AML law (Wwft) for 5 years, and even longer (7 years) for certain financial records required by tax law. In both countries, these retention rules mean that even if you invoke your right to be forgotten, the casino may still hold onto some of your data until the mandatory retention period expires.
Crucially, being licensed and regulated (by the UK Gambling Commission in Britain, or the Kansspelautoriteit in the Netherlands) means the operator must comply with GDPR as part of their broader compliance duties. If a casino is unlicensed or operating illegally, they may not honour your data rights at all – another reason to only play at reputable, licensed sites. We’ll discuss how to verify a casino’s licensing and reputation later on.
Requesting Deletion of Your Casino Account Data (Step-by-Step)
If you decide, “I want to erase my online casino history,” here’s how you can practically exercise your rights:
1. Find the Right Contact: Check the casino’s website for a Privacy Policy or Contact page. Look for a Data Protection Officer (DPO) email address or a dedicated contact for privacy inquiries. Many licensed operators provide a specific email (e.g., [email protected]) or form for GDPR requests. For example, Holland Casino instructs users to email their privacy office and even requires a proof of identity for verification. Identify your account details (username, email, etc.) so the casino can locate your records.
2. Write a Clear Request: You don’t need fancy legal language – simply state that you are exercising your right to erasure under GDPR (or UK data protection law) and request the deletion of your personal data. Be specific about which data or accounts this pertains to (e.g., “delete all data associated with my player account [account ID]”). Before you submit the request, it’s worth reviewing what data the casino has actually collected — if you notice excessive or irrelevant information being held, that could indicate a breach of GDPR’s data minimisation principle.
We discuss how to identify these kinds of issues in “GDPR Red Flags: 7 Ways to Spot a Casino That Ignores the ‘Data Minimisation’ Principle.” It can help to mention you understand the casino has one month to respond, as GDPR requires.
3. Send the Request (and Keep Proof): Deliver your request via the channel the casino suggests – commonly email or an online form. It’s wise to keep a copy of your request (or screenshot if submitted via form) and note the date. Under the law, the casino should respond within one calendar month to let you know what they’ve done or if they need more time/information.
4. Follow Up if Needed: A reputable casino will acknowledge your request and either confirm deletion or explain refusals/partial deletions. If you hear nothing back after a month, send a polite follow-up. Sometimes responses go to spam folders, so check those as well.
5. Escalate if Refused Unfairly: There are valid reasons a casino might refuse to erase some data (we cover those next). However, if you believe a licensed casino is unjustly denying your request or not responding at all, you can escalate the matter. In the UK, you can raise a complaint with the ICO. In the Netherlands, you can contact the Autoriteit Persoonsgegevens (Dutch Personal Data Authority). Regulators can investigate and have the power to enforce GDPR compliance (including issuing fines).
6. Practical tip: When communicating with the casino, remain courteous and factual. State your request and, if appropriate, cite that you understand certain data might be retained for compliance reasons. This shows you’ve done your homework and encourages a transparent response.
What Can (and Can’t) Be Erased from Your Casino History
It’s important to set your expectations: invoking the right to be forgotten does not mean a casino will scrub every trace of your gambling activity overnight. Data protection law balances individual rights with other obligations. Here’s what to know about the kinds of data a casino might delete, and what they might lawfully keep:
- Personal Identifiable Information: Details like your name, contact info, account profile, and marketing preferences are typically deletable if they’re no longer needed. If you’ve closed your account, a casino doesn’t have a reason to keep, say, your email address for marketing – you can insist they erase such data. Indeed, if you withdraw consent (e.g. unsubscribe from marketing), that’s grounds for deletion of related data.
- Gameplay and Transaction History: This is where legal obligations come in. Casinos licensed in the UK and NL must retain gambling transaction records and identity verification data for a minimum period (usually 5 years) to comply with anti-money laundering laws. Even if you request erasure, the operator can lawfully refuse to delete those records until that retention period lapses, since they have a legal obligation to keep them. One common example: A casino might say, “We’ll delete your account and marketing data now, but we must keep your betting and withdrawal records for five years per AML regulations.” This limited retention is allowed under GDPR’s exemption for legal compliance.
- Self-Exclusion and Responsible Gambling Data: If you have self-excluded or if the casino has notes related to problem gambling interventions, they may need to retain that information (at least as long as the self-exclusion is active) for responsible gambling purposes. Erasing such data immediately could conflict with their duty to prevent you from gambling during the exclusion period, which is in the public interest of safer gambling. Here again, casinos might cite an exemption to the right of erasure because they are carrying out a task in the public interest or under official authority (the mandate to protect vulnerable players).
- Financial Records and IDs: Casinos often keep copies of identity documents (passports, driver’s license), payment records, and even communications in case of disputes. Much of this falls under regulatory retention. For instance, Dutch casinos are required to hold onto certain financial transaction data for 7 years due to tax laws. Such data won’t be wiped immediately on request. But rest assured, after the mandatory period, the casino should delete or anonymise it. In fact, UK guidance explicitly states that once the legal retention period ends, personal data must be deleted unless an exception applies.
- Data that can be removed: On the brighter side, casinos should promptly delete data that isn’t subject to an exception. This might include saved credit card details (if not needed), any profile photo or avatar you uploaded, saved device/browser identifiers, and marketing profiles. For example, if the casino had segmented you as a “great player” for VIP marketing, you can ask for those profiling records to be erased once you leave. They must also inform any third parties they shared your data with (like marketing partners) about the erasure, if possible.
When a casino complies with your erasure request, they’ll often confirm that your account is closed and personal data removed, aside from the portions they must retain by law. It’s not a complete scrub of history like it never happened (your bank statements or win/loss history in emails obviously can’t be erased by the casino), but it does restore a significant degree of privacy regarding the data under the casino’s control.
Choosing a Licensed and GDPR-Compliant Casino (Reputation Matters)
Since your ability to control your data hinges on the casino’s compliance, it’s wise to stick to operators that are licensed and reputable. Here’s how to evaluate a casino from a licensing and GDPR standpoint:
- Check the Licence: In the UK, it’s easy to verify an online casino’s licence. The UK Gambling Commission offers a public register – you can perform an operator’s licence check by searching the business name on the UKGC website. This tool lets you check someone’s licence status in the Great Britain market, ensuring the operator is officially licensed (and thus accountable to the Commission). In the Netherlands, the Kansspelautoriteit (KSA) provides a similar portal (the register of licensees) where you can confirm if a gambling site is legally licensed in the Netherlands. Simply search the company or website name to verify they hold a KSA-issued licence. If a casino can’t be found in the regulators’ databases, that’s a red flag – the operator might be unlicensed, and your rights (and funds) could be at risk.
- Look for Licensing Info on the Site: Reputable casinos will clearly display their licensing information on their homepage or footer. UK sites should show a UKGC licence number; Dutch sites should show a KSA licence number or logo. A site that is properly licensed in these jurisdictions is far more likely to comply with GDPR, because data protection is part of being a “fit and proper” licensed operator. By contrast, shady sites operating without a licence might ignore data deletion requests altogether.
- Review the Privacy Policy: Take a moment to read the casino’s Privacy Policy (sometimes called Data Protection Notice). This document should mention GDPR or the applicable data law, list your rights (access, rectification, erasure, etc.), and provide contact details for privacy inquiries. For example, a well-regulated casino’s policy might explicitly state: you have the right to have your data removed, and we will comply insofar as permitted by law. It should also outline how long they retain data (e.g. “we keep AML-related data for 5 years”). If the privacy policy is missing, extremely vague, or doesn’t acknowledge your rights, that’s a bad sign. A trustworthy, licensed operator in the London gaming market or the Dutch market will be transparent about these details.
- GDPR Compliance Signals: Beyond the policy, other signs of a GDPR-compliant casino include: offering a cookie consent banner and privacy settings, having an easy way to opt out of marketing emails, and providing a method to submit data requests. These indicate the casino takes data regulations seriously. When an operator respects these rules, it generally reflects a higher level of professionalism and accountability to players.
By choosing a licensed casino that values compliance, you not only protect your money but also your personal information. Such casinos are audited and regulated, meaning if you do exercise your right to be forgotten, there’s a strong framework ensuring the casino handles it properly. In contrast, if you gamble on an unlicensed site, you might find your data being misused or your deletion requests ignored – and you’d have little recourse in that case.
Conclusion: Erasing Your Online Casino Footprint
So, can you erase your online casino history? In many cases, yes — but not entirely. GDPR gives you the right to request deletion of your personal data, and licensed, reputable operators are required to comply. Still, some records — especially those linked to anti-money laundering and responsible gambling — may be retained for legal reasons.
If you’re unsure whether your rights are being respected or you’ve had your request unfairly denied, Player Protection Legal is here to help. We’re a law firm specialising in disputes with online casinos, GDPR violations, and regulatory complaints in both the UK and the Netherlands.
Take control of your data.
If you need legal support, advice, or help drafting a request, contact us for a confidential consultation.