Home > News
Mind my data Click to visit the homepage
The ICO is manipulating the process again
The basics
Plausible deniability
Employment agencies
Useful links
Open in a new window/tab
The Information Commissioner
Mailing Preference Service
Telephone Preference Service
Royal Mail junk mail opt-out
Register of data controllers
Analysis
My response to the ICO's tweet about policy
Are data controllers 'officially' lying to us?
Why do we need to accept a Privacy Policy?
Can I opt-out of a renewal quote under section 11 of the DPA?
Who's texting me about PPI?
Marketing corporate employees by e-mail

188BET failed to comply with my subject access request

188BET fails to clarify what data they hold about me, how they obtained it and what right they have to process it.

After receiving an couple of e-mails last year promoting 188BET's online casinoNew window I contacted the official sponsors of Bolton Wanderers Football Club website and asked them to clarify how they had obtained my e-mail address. They eventually got back to me and said the following:

'We refer to our recent communications and your complaint with regard to your personal detail being used. After further checking with the management, the email you received is from our Casino Affiliates. As stated in our Privacy Policy, we may share your personal data with organizations who are our business partners and we or they may contact you, unless you have asked us or them not to do so, by mail, telephone, SMS text, fax, email or other available means of communication about products, services, promotions or special offers'.

Unfortunately this didn't help me much as I'd never heard of them before I received a marketing e-mail promoting their casino and I don't use online casinos or support Bolton Wanders. In light of their response I submitted a subject access request but they never responded so I submitted a complaint to the ICO. The ICO said:

'it is unlikely that 188bet has complied with the Requirements of the DPA. This is because it appears 188BET has failed to properly respond to your subject access request. We have now asked 188BET to now provide you with a full response or explanation why they cannot respond to you'.

Earlier this week - 06/03/2013, I received an e-mail from Cube Limited - the company that owns 188BET. They said:

'We refer to your Subject Access Request dated 10 June 2012.

We apologise for the delay in responding to your request.

Before we deal with your Subject Access Request, we require the following to be submitted to us please:

proof of your identity (e.g. a certified copy of your driving licence or passport) for our verification purposes.

Please send the above to the Data Protection Officer, Cube Limited, Clinch's House, Lord Street, Douglas, Isle of Man, IM1 1JD.

Your request will be dealt with directly we have received the required proof of identity'.

I had to laugh. Bearing in mind that I don't have a prior relationship with this organisation, what are they playing at by asking me to provide them with a certified copy of my driving licence or passport? Why on earth would I give them details of my name, address, date of birth, photograph and biometric data when, as far as I'm aware, the only information that they hold about me is my name and e-mail address. This being the case, what purpose does obtaining all the other information fulfil? How can they use it to verify me if they don't have that information in the first place to verify against? And if I were to write Certified by Nobby Nobend on a copy of my passport would they know who this is or what their status is? Won't they also need Mr Nobend's details?

The law states that they can make a reasonable request for information in an effort to identify me and I've tried to reason with them by asking them to tell me what kind of information they hold about me and I will provide something suitable to validate that information. But they insist on either a certified copy of my driving licence or passport. We therefore agreed to disagree and I've now submitted another complaint to the ICO. It will be interesting to see what the ICO do.

Anyway, under the Data Protection Act 2002 - which is the legislation used by the Isle of Man, a judge can order a data controller to pay £5000 for failing to comply with a subject access request - which according to the ICO they've already done. If the ICO are not willing to do anything then I'll see about taking them to court.

Added: 09.03.2012