Insights S.122 Requests and the UK GDPR


One question we at Wiggin often receive from operators is whether they are able to disclose the personal data of customers as part of a S.122 request from the Gambling Commission (GC). This question is often framed as what an operator should do where its obligations to the GC conflict with its data protection obligations.

The first point to note here is that complying with a S.122 request does not permit any operator to breach data protection. In fact, Section 352 of the Gambling Act states that: “Nothing in this Act authorises a disclosure which contravenes the data protection legislation.”

The effect of Section 352 and the obligations imposed on operators by the UK GDPR mean that any request from the GC under S.122 should be carefully considered. This can be challenging when S.122 requests are broad with vague purposes. However, it is important to keep in mind that any S.122 Request from the GC must always be necessary and proportionate.

Our advice therefore is that when receiving a S.122 request, an operator should consider whether the purpose is clear; and if the request is proportionate. If there is any doubt, the operator is within their right to clarify the request with the GC. In addition, if such a request can be satisfied by disclosing only anonymised information, this should be the course of action the operator takes.

In summary, when receiving a S.122 request an operator should take the time to review the request thoroughly, consider its gambling and data protection obligations, and not be hesitant in going back to the GC if is anything unclear.

If you have any questions about S.122 requests, data protection or betting & gaming generally please do get in touch.