Authors: Cosmina Maria Simion, Petrus Partene - WH Partners
The Rise of the DSAR in Gaming.
The gaming industry sits at the intersection between a consumer base that generates large quantities of personal data, and an increasingly sophisticated regulatory framework that empowers individuals to demand access to that data. Data Subject Access Requests (commonly referred to as DSARs) have, since the introduction of the General Data Protection Regulation (GDPR) in 2018, become one of the most utilised tools in the data subject rights toolkit. For operators in the gaming sector, whether in online casino, sports betting, or broader interactive entertainment, DSARs represent both a legal obligation and, increasingly, an operational challenge.
The core premise is straightforward. Under Article 15 of the GDPR, any individual whose personal data is processed by an organisation has the right to obtain confirmation of whether their data is being processed, and if so, to receive a copy of that data together with supplementary information about how it is used. Operators must respond within one calendar month, extendable by a further two months in cases of complexity or volume. There is no fee chargeable to the data subject in ordinary circumstances, and the threshold for submitting a request is essentially zero.
What has emerged in the gaming industry, however, is a pattern that gives operators legitimate cause for concern: the strategic use of DSARs not as a genuine exercise of privacy rights, but as an instrument often deployed in the context of disputes over bonuses, account closures, responsible gambling decisions, or regulatory complaints.
Why DSARs Matter in Gaming
Before addressing the weaponisation concern, it is important to acknowledge the genuine and legitimate value that DSARs provide to players. The data that operators hold on players includes financial transaction histories, session data, betting patterns, communications records, and also the outputs of responsible gambling tools and affordability assessments. This data is deeply personal, and players have a legitimate interest in understanding how it is collected, retained, and used.
DSARs become particularly meaningful in the gaming context when players wish to understand the basis on which operators have made decisions about their accounts. A player who has had their account suspended under responsible gambling obligations, or who has been subject to a source-of-funds check, may have a very genuine and reasonable interest in understanding what information the operator holds and how it informed that decision.
Regulatory bodies across jurisdictions have reinforced this position. The Information Commissioner’s Office (ICO) in the United Kingdom, for instance, has made clear that operators cannot refuse or unduly restrict DSARs simply because they anticipate inconvenience or litigation. The right is fundamental, and the starting presumption must always be one of compliance.
The Weaponisation Problem
Yet the reality on the ground tells a more complex story. There are more and more DSARs submitted in circumstances that strongly suggest a tactical rather than a privacy-driven motivation. The most common scenarios include:
- Post-complaint DSARs: A player submits a DSAR immediately after raising a formal complaint. The DSAR then effectively functions as pre-litigation disclosure, compelling the operator to reveal its internal decision-making processes, compliance assessments, and/or staff communications, material that may subsequently be used against the operator in legal or regulatory proceedings.
- Bonus dispute requests: DSARs submitted in the context of bonus disputes, where the player seeks to identify inconsistencies in the operator’s application of terms and conditions across its customer base, or to obtain copies of internal guidance documents that might support a challenge.
- Responsible gambling disputes: Following a self-exclusion failure or an affordability concern, a player may submit a DSAR as a first step in building a legal claim for damages.
Three Things Operators Should Keep in Mind
(1) Compliance is non-negotiable, but scope can be managed
The obligation to respond to a valid DSAR is absolute. Operators cannot refuse simply because a request appears tactically motivated, nor can they delay a response pending the resolution of a related dispute. However, the scope of what must be disclosed is not unlimited. The GDPR permits operators to withhold information that would adversely affect the rights and freedoms of others, including, in appropriate circumstances, commercially sensitive internal communications, third-party personal data, and legally privileged material.
(2) Process architecture prevents crisis management
The most resilient operators are those that do not treat DSARs as exceptional events requiring urgent, reactive scrambling, but instead as a foreseeable and recurring element of their data operations. This means maintaining clean, searchable data architectures; having clear data retention and deletion policies that are actually implemented; training staff on what data exists and where it is held; and establishing documented DSAR response procedures.
(3) Context and proportionality should inform legal strategy
Where DSARs are accompanied by or quickly followed by formal legal claims or regulatory complaints, operators should treat the response process as part of a broader litigation strategy, not in isolation from it. This means early engagement with legal counsel, consideration of whether any exemptions (including legal professional privilege) apply, and a careful assessment of which documents, if released, could prejudice the operator’s position. Equally, operators should resist the temptation to over-redact or delay, as this approach frequently aggravates regulators and courts alike.
Conclusion
The data subject access request is a right that exists for good reason, and the gaming industry, given the sensitivity of the data it processes and the vulnerability of some of its customers, has more reason than most sectors to take that right seriously. At the same time, operators are entitled to respond to DSARs in a manner that is legally precise, operationally disciplined, and strategically aware.
The answer to weaponisation is not resistance, but readiness. Operators that invest in data governance, legal process, and a culture of transparency will find that even the most tactically motivated DSAR becomes manageable.
This article was first published in Casino Inside Magazine.