IDPC Decision on Incomplete Personal Data Copy Complaint

Information and Data Protection Commissioner

CDP/COMP/818/2024

[REDACTED]

vs

[REDACTED]

COMPLAINT

1. On 25th November 2024, [REDACTED] through his legal counsel (the “complainant”) lodged a complaint with the Information and Data Protection Commissioner (the “Commissioner”) pursuant to article 77(1) of the General Data Protection Regulation1 (the “Regulation”), alleging that [REDACTED], now [REDACTED] [REDACTED]2, provided an incomplete copy of his personal data when exercising his right of access pursuant to article 15 of the Regulation.
2. As supporting documentation, the complainant provided a copy of the subject access request dated the 27th June 2024. The complainant also submitted copies of two (2) replies from [REDACTED]. On the 5th July 2024, [REDACTED] provided an encrypted file together with access instructions. The file contained a ‘Personal Data Report’ comprising of the following sections: (1) Personal Details, (2) Account Details, (3) Money Summary, (4) Bonuses, (5) Marketing Messages, (6) Customer Service Contacts and (7) Responsible Gaming. In an email dated the 26th July 2024, [REDACTED] informed the complainant that: “we have fulfilled your request for information under the GDPR in accordance with Article 15(1) GDPR and Sect. 6d (3) ISTG 2021 and provided them in commonly used and machine-readable format. Your request for information has thus been fulfilled entirely and we hereby consider your enquiry to be settled”.

---

1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

2 [REDACTED] formerly [REDACTED] having its registered address at REDACTED.

INVESTIGATION

Request for submissions

1. On the 19th December 2024, pursuant to the internal investigative procedure of this Office, the Commissioner requested [REDACTED] to put forward any information which is deemed relevant and necessary, for the Commissioner to consider in the legal analysis of the case. By means of an email dated the 23rd December 2024, the Commissioner was informed that [REDACTED] is now operating under the name [REDACTED] and is no longer owned by the [REDACTED], having been transferred to new ownership. Accordingly, REDACTED is now the controller responsible for any personal data previously processed by [REDACTED]. The Commissioner was also provided with the contact details of the controller’s Data Protection Officer.
2. Accordingly, on the same day, the Commissioner requested submissions from the controller via email sent to the Data Protection Officer’s official email address. This communication was followed by further emails dated the 20th January 2025 and 3rd February 2025, however no reply was forthcoming. Another reminder was sent on the 19th February 2025, prompting a reply on the 21st February 2025, stating that the emails had ended up in the spam folder. Despite this explanation, the controller failed to provide the requested submissions.
3. In this regard, on the 13th March 2025, the Commissioner sent a registered letter, invoking the investigative powers established under article 58(1)(e) of the Regulation and ordered the controller to provide all the necessary information for the purposes of the investigation, including the requested submissions.
4. On the 24th March 2025, the controller, through its legal counsel, submitted the following principal arguments for the Commissioner to consider in the legal analysis of the case:
   • i. that reference was made to the correspondence with the complainant when responding to the subject access request, wherein the controller informed the complainant that; “[p]lease note that we have fulfilled your request for information under GDPR in accordance with Article 15 (1) GDPR and Sect. 6d (3) ISTG 2021 and provided them in a commonly used and machine-readable format. Your request for information has thus been fulfilled entirely and we hereby consider your enquiry to be settled”;

• ii. that in accordance with the above-mentioned legal provisions, the controller provided the complainant with various personal data in a 'Personal Data Report', which included a list of transactions related to their gambling account during the previous twelve (12) months;
• iii. that where no transactions had taken place between the specific complainant and the controller, no transaction data was given, but all other personal data was provided;
• iv. that the complainant is German and represented by German lawyers and law firms;
• v. that reference was made to the German Interstate Treaty on Gambling (Glücksspielstaatsvertrag), promulgated in 2021 (the "ISTG 2021"), which is an agreement between the German Federal States intended to harmonise German gambling law, a matter regulated at Federal State level;
• vi. that the ISTG 2021 contains a specific legal provision regulating players' right of access to gambling transactions and information under data protection law. In terms of section 6d (3) of the ISTG 2021, the following is provided: "[o]rganisers and intermediaries must provide players, upon request, with an orderly list of all transactions on the gambling account for the past twelve months immediately and free of charge"3;
• vii. that in accordance with the German law, the subject access request was fulfilled under section 6d (3) of the ISTG 2021 and the complainant was provided with the relevant list of transactions applicable to their gambling accounts;
• viii. that the controller "maintains, that the data access obligations provided in Sec. 6 (3) ISTG 2021, takes precedence over GDPR, including access rights provided in terms of Art. 15 GDPR, and this given that the ISTG 2021 as the lex specialis, specifically regulates the intersection between player protection (in the field of German gambling laws) and data access rights which apply to German players/consumers. This is in line with the legal principle of lex specialis derogat lex generalis";

---

3 Official wording of the ISTG 2021:

"§ 6d Informationspflichten des Anbieters bei Glücksspielen im Internet

(3) Veranstalter und Vermittler müssen Spielern auf Antrag eine geordnete Auflistung sämtlicher Transaktionen auf dem Spielkonto der vergangenen zwölf Monate unverzüglich kostenlos zur Verfügung stellen".

• ix. that “in this context and based on the German law advice, [the controller] maintains that the ISTG 2021 specifically regulates player rights and rights of access to gambling transactions in the German territory, particularly when taking into account the fact that ISTG 2021 came into force after the GDPR (2018). It is thus surmised that it was the German legislator's clear and specific intention to provide for this explicit rule (and limitation) which derogates from general data protection legislation”;
• x. that the Regulation itself explicitly allows for national regulations to address specific legal needs. Under article 23 of the Regulation, Member States (including Germany and Malta) are permitted to restrict certain data subject rights, including rights of access, where such a restriction respects the essence of fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard the factors listed in the same article 23 of the Regulation. The German legislator has, on this basis, explicitly created a restriction regulating access to gambling transactions in line with section 6d (3) of the ISTG 2021;
• xi. that “[t]o this effect, [the controller] understands that Sec. 6 (3) ISTG 2021 should be applied to the DSAR filed by the Complainants. ██████ has thus acted in full compliance with its legal obligations when answering the Complainant's DSAR”;
• xii. that in addition and without prejudice to the above, the controller noted that Maltese law also contains exceptions to the right of access under article 15 of the Regulation, which apply in these circumstances. The controller also made reference to regulation 4(e) of the Restriction of the Data Protection (Obligations and Rights) Regulations, Subsidiary Legislation 586.09 (the “Subsidiary Legislation 586.09”), which states that: “[a]ny restriction to the rights of the data subject referred to in Article 23 of the Regulation shall only apply where such restrictions are a necessary measure required: (e) for the establishment, exercise or defence of a legal claim and for legal proceedings which may be instituted under any law”;

• xiii. that as already explained, article 23 of the Regulation empowers Member States to legislate and create, through domestic law, exceptions for rights which data subjects generally enjoy under the Regulation. Article 23 of the Regulation provides for the parameters within which Member States may legislate;

• xiv. that article 23 of the Regulation expressly provides that such restrictions may relate, inter alia, to “(j) the enforcement of civil law claims”;

• xv. that reference was made to the guidance of the European Data Protection Board (the “EDPB”) which confirms that article 23 of the Regulation allows restrictions to protect the interests of litigants, including prospective litigants4;

• xvi. that Subsidiary Legislation 586.09 is the national law through which the Maltese legislator implemented restrictions under article 23 of the Regulation, with the clear purpose of protecting potential litigants in civil claims;

• xvii. that the controller maintains that regulation 4(e) of Subsidiary Legislation 586.09 “allows controllers to restrict the amount of data provided to data subjects in response to DSARs, if this is necessary for the establishment, exercise and defence of a legal claim and for legal proceedings which may be initiated under any law. Regulation 4(e) does not qualify this statement by stating that this exception may be invoked only if a legal procedure has been initiated. On the contrary, through the phrase “which may be initiated under any law”, Subsidiary Legislation 586.09 make it abundantly clear that the legislator wanted a Controller such as [the controller] to be able to invoke an exception even before legal proceedings are initiated, if necessary for the establishment, or exercise, or defence of a legal claim. One of the purposes of the exception ought to be to avoid that controllers are forced to provide data that would impair the defense of a legal claim. This can obviously be the result regardless of whether data is provided before or after legal proceedings have been formally initiated”;

• xviii. that the Maltese legislator intended for controllers, when acting in the context of existing or prospective legal claims, to have the right to invoke this restriction;

• xix. that the controller has numerous reasons to believe that the complainants filed subject access requests with the express intention of initiating legal proceedings for the recovery of player losses, particularly in view of numerous German court judgments against MGA-licensed operators;

---

4 European Data Protection Board, ‘Guidelines 10/2020 on restrictions under Article 23 GDPR’ (Version 2.0), adopted on the 13th October 2021 (page 9).

• xx. that in the context of mass litigation (and the abusive nature of such litigation in Germany and other EU Member States such as Austria and the Netherlands), with litigation funders encouraging data subjects to file subject access requests to enable them to bring these cases (in breach of the standard rules of civil procedure procedure), such subject access requests should be considered as 'abusive' for the purposes of the Regulation. This is particularly aggravated by the fact that the complainant is likely to have access to his personal data through other channels such as bank and credit card records;
• xxi. that this conclusion is reached on the basis of the following indicative factors:

• a. that the subject access requests and related correspondence were filed by a German law firm synonymous with player claims being filed before the German Courts against MGA-licensed operators. There can be no doubt that these subject access requests are being filed in the context of, and as a precursor to, litigation for the recovery of such losses;

  • b. that various statements in the emails exchanged with the controller which are indicative of the motives behind the subject access requests in question. By way of example the complainant's lawyers state "the data submitted does not show any deposits or withdrawals by our client since his registration, nor do the files contain any game histories";
  • c. that "some of the Complainants have not deposited or played any games on the Company's website for a number of years. It is therefore hard to see any other reason for such Complainants to file a DSAR at this point in time, years after their last interaction with the Company, besides wanting the data in order to use it to file a legal claim against the Company";
  • d. that "[t]he Complainants' requests constitute part of a larger and wider pattern in Germany where a large number of players are filing DSARs only for the purpose of filing legal claims against the controller. These players no longer have any ongoing business relationship with the Controller or other interest in their data, except to file DSARs only for the aforementioned purpose. Especially against this background, there is no reason to believe that the Complainants have any other interest in the data than to use the data to file a legal claim against [the controller]";

• xxii. that it must also be emphasised that the right of access is not absolute. The controller referred to article 15(4) of the Regulation, which expressly provides that “[t]he right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others”;

  • xxiii. that in line with this, it is noted that at the time of replying to the complainant, the controller (through its previous DPO team) had already carried out a Necessity and Proportionality Test, containing the controller’s internal assessment of (i) necessity and (ii) proportionality. This assessment justified the temporary restriction of access and the limited disclosure of personal data in reliance on the exceptions under Subsidiary Legislation 586.09, read within the context of the Regulation;
  • xxiv. that “██████ thus maintains, that the restriction in Regulation 4(e) of S.L. 586.09 also applies to the DSARs filed by the Complainants (without prejudice to the German Law position above) and that therefore ██████ has had the right to restrict the amount of data provided to the Complainants also based on this restriction”; and
  • xxv. that “██████ with regard to the above, thus has acted in full compliance with its legal obligations and provided all applicable data it is obliged to provide to the Complainants”.

• The Commissioner requested that the controller to provide a copy of the email sent to the data subject informing him of the restriction, along with a copy of the necessity and proportionality test applied in relation to the restriction invoked by the controller.

• On the 4th April 2025, the controller submitted a copy of the necessity and proportionality test, which was conducted by the controller. The Commissioner noted that the necessity and proportionality test is an internal document of the controller and therefore, the document was solely used by the Commissioner for the purpose of investigating this complaint. It was further noted that:

“As far as our clients are aware, the email communications between ██████ (now ██████) and the data subjects are those which your Office has already attached to the complaints in question. As is self-evident from the correspondence in question, the primary restriction communicated by the ██████ DPO team at the time was that in terms of Art 6 (3) of the ISTG 2021 (Glucksspielstaatvertrag) which obliges providers of games to provide

players with an orderly list of all transactions on the gambling account for the past twelve months immediately and free of charge. However, and as explained in our submissions, REDACTED maintains that the exception laid out in Art 4(e) of 586.09 should also apply to this case, and this will be imminently communicated to the players in question”.

1. The Commissioner provided the complainant with the opportunity to rebut the arguments raised by the controller, however, the complainant noted that “we will not be submitting any further documents on this matter and that we have conclusively explained our position”.
2. By means of an email dated 30th April 2025 and with reference to the restriction under the ISTG 2021, the Commissioner requested the controller to provide a specific explanation as to why German law is considered applicable rather than Maltese law, given that the controller is a company registered in Malta and licensed by the Malta Gaming Authority.
3. In this regard, on the 23rd May 2025, the controller submitted the following salient arguments for the Commissioner to consider during the legal analysis of this case:
   • i. that “[i]t is generally acknowledged that the Maltese Data Protection Act (and subsidiary regulations enacted under the Act, including those on the restrictions) is invoked to the extent that there is processing in the context of activities of an “establishment” in Malta. If the establishment is not in Malta, then Maltese law will not apply. In this context and since REDACTED is a Maltese entity, Maltese law is typically considered in the context of such processing”;
   • ii. that “it is important to note however that in recent years, most EU Member States have moved to regulate the provision of online gaming services through specific domestic laws and licensing regimes, which allow foreign operators, to apply for such licenses through open licensing frameworks, which now regulate the provision of gaming services in such jurisdictions subject to compliance with their regulatory framework. One such country is Germany which has implemented the German ‘Interstate Treaty on Gambling’ (Glücksspielstaatsvertrag) promulgated in 2021 (“ISTG 2021”), which now regulates the provision of online gambling to German consumers in German territories”;

• iii. that “[s]uch German law now also regulates the right of access to personal data of German players consuming online gaming services”;
• iv. that “[i]t is also important to consider that in the context of this DSAR filed by a German player who is likely to ask the German court to declare the contract he had with ██████ (at the time ██████) null and void and to thus repay the losses, the German court will very likely (as it typically does in such cases – although this remains contested) choose to apply German law (as the law of the MS in which the consumer has residence) as the law which gives the consumer better protection, and therefore the law applicable to the relationship between the parties”;
• v. that “[i]n this context, we are informed that ██████ (at the time ██████) obtained German law advice in the sense that the ISTG provides for a special and specific legal provision which regulates players' right of access to gambling transactions and information in terms of data protection law, which provides for access to a list of all transactions “for the past twelve months immediately and free of charge””;
• vi. that “[i]n accordance with German law, ██████ (at the time ██████) therefore fulfilled the DSAR in terms of Sect. 6d (3) ISTG 2021 above, and the Complainant was provided with the relevant list of transactions applicable for the gambling account for that period”;
• vii. that “██████ maintains, on the basis of German law advice it obtained at the time, that the data access obligations provided in Sec. 6 (3) ISTG 2021, takes precedence over GDPR, including access rights provided in terms of Art. 15 GDPR, and this given that the ISTG 2021 as the lex specialis, which specifically regulates the intersection between player protection (in the field of German gambling laws) and data access rights which apply to German players/consumers. This is in line with the legal principle of lex specialis derogat lex generalis”;
• viii. that “in this context and based on the abovementioned German law advice obtained, ██████ maintains that the ISTG 2021 specifically regulates player rights and rights of access to gambling transactions in the German territory, particularly when taking into account the fact that ISTG 2021 came into force after the GDPR (2018). It is thus surmised that it was the German legislator's clear and

specific intention to provide for this explicit rule (and limitation) which derogates from general data protection legislation”;

• ix. that “the GDPR itself explicitly allows for national regulations to address specific legal needs. Under Article 23 GDPR, EU Member States (including Germany and Malta) are permitted to restrict certain data subject rights, including rights of access, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard the factors listed in the same Article 23, GDPR itself. The German legislator has thus, explicitly created this restriction regulating access to gambling transactions in line with Section 6 (3) ISTG 2021”;
  • x. that “on this basis and as already explained, the Data Subject was provided with the data for the preceding 12 months (which showed no active gameplay and therefore no transactions) and this explains why “only a 12-month subset of data was provided”; and
  • xi. that “[o]n the rest of the questions, posed by the DS, we have as yet, not received specific information on whether older data exists, or whether it has been deleted or retained, although the assumption should be that such data was processed, retained or deleted in line with the company’s data retention policies applicable at the time, unless otherwise proven. We understand however that this is not the subject of this complaint”.
• On the 17th June 2025, pursuant to its investigative powers in terms of article 58(1)(a) of the Regulation, the Commissioner requested the controller to complete the Main Establishment Checklist and Questionnaire. These instruments are intended to gather detailed information on the controller’s group structure, decision-making processes and operational activities, with a view to determining the location of the main establishment within the meaning of the Regulation. In this regard, on the 26th July 2025, the controller provided the requested documentation.

LEGAL ANALYSIS AND DECISION

Preliminary Considerations

1. During the course of the investigation, the Commissioner established that the complainant had exercised his right to access his personal data in terms of article 15 of the Regulation, by means

of a request dated the 27th June 2024. In the reply dated the 5th July 2024, the Commissioner observed that the controller provided a 'Personal Data Report' with various categories of personal data. However, the Commissioner further noted that the disclosure was limited to information falling within the scope of section 6d (3) of the ISTG 2021, which requires operators to provide players with a list of gambling account transactions for the past twelve (12) months.

Determining the Main Establishment of the Controller

1. The Commissioner analysed the applicability of the ISTG 2021 and whether it could operate as a valid restriction of the complainant's right of access under article 15 of the Regulation. Therefore, in light of the cross-border nature of the controller's data processing, the Commissioner undertook a judicious assessment to identify the controller's main establishment within the Union, and specifically, whether such main establishment is located in Malta. In accordance with article 56(1) of the Regulation, the supervisory authority in the member state of the main establishment of a controller shall be the lead supervisory authority vis-à-vis that controller. The supervisory authority shall have the competence to monitor the application of the Regulation in relation to the controller on the territory of its own Member State as held in article 55(1) of the Regulation, and to investigate complaints lodged by data subjects concerning the processing of their personal data by that controller, as held in article 57(1)(f) of the Regulation. Accordingly, making this determination was necessary in order to establish whether the Commissioner is the competent supervisory authority for overseeing the controller's processing operations in the present case, and as a corollary, whether the controller is also subject to the provisions of Maltese law which implement and further specify the provisions of the Regulation, namely, the Data Protection Act (Chapter 586 of the Laws of Malta) (the "Act") and all the regulations made thereunder.
2. In this regard, article 4(16)(a) of the Regulation clearly defines the 'main establishment' of a controller as "the place of its central administration in the Union". This applies unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union, and that establishment also has the power to implement those decisions, in which case, that establishment will be considered the controller's main establishment. This is reinforced by recital 36 of the Regulation, which explains that the main establishment should be determined according to objective criteria, and should imply the effective and real exercise of management activities, determining the main decisions about processing through stable arrangements. This interpretation is further supported by the EDPB's Opinion 04/2024 on the notion of main establishment of a controller in the Union under article

4(16)(a) GDPR, which stresses that determining the main establishment cannot be based on a subjective designation5, but rather, it hinges on identifying where these key decisions are taken, and where the power to put those decisions into effect lies. Accordingly, the Commissioner considered that making this determination would involve an objective exercise to identify precisely where the controller makes its final decisions on the purposes and means of its data processing activities, and where the controller has the ability to implement those decisions effectively.

1. The Commissioner also analysed the EDPB's Guidelines 08/2022 on identifying a controller or processor's lead supervisory authority, which provide that supervisory authorities may request a controller to provide evidence or information to demonstrate where its main establishment is and where decisions about data processing activities are taken6. Accordingly, during the course of the investigation, for the purpose of further informing his determinations in this regard, the Commissioner put a series of objective questions to the controller.
2. In its responses the controller stated that it considered the main establishment of the group of undertakings to which it forms part of to be located in Malta. The controller substantiated its position by explaining, inter alia, (i) that the controller is a company registered under the laws of Malta and having its registered address in Malta; and (ii) that data protection decisions, including compliance with data subject rights and ongoing legacy data retention are carried out under the direction of its appointed director(s) in Malta.
3. After taking into consideration the explanations provided by the controller in its responses, the Commissioner affirmed his determination that the controller's main establishment is that of Malta. Pursuant to article 11(2) of the Data Protection Act, the Commissioner is responsible for monitoring and enforcing the application of the provisions of the Act and the Regulation in relation to controllers that have the main establishment in Malta. Consequently, in conducting his legal analysis of the present case and issuing his legally binding decision thereon, the Commissioner examined the controller's conduct and the complainant's allegations in light of the provisions of the Regulation and the relevant provisions of the Data Protection Act, including the regulations made thereunder. The Commissioner further clarifies that he does not have the competence to interpret the law of another Member State, and that his competence is strictly limited to Malta's territory, as established under article 55(1) of the Regulation.

---

5 European Data Protection Board, 'Opinion 04/2024 on the notion of main establishment of a controller in the Union under article 4(16)(a) GDPR', adopted on the 13th February 2024 (para. 11).

6 European Data Protection Board, 'Guidelines 08/2022 on identifying a controller or processor's lead supervisory authority', adopted on the 28th March 2023, (para. 38).

Subject Access Request: Article 15 of the Regulation

1. Article 15 of the Regulation grants data subjects far-reaching rights of access in relation to the processing of their personal data. Its predominance is derived from article 8(2) of the Charter of Fundamental Rights of the European Union (the “Charter”), which explicitly refers to the right of access, by stating that “[e]veryone has the right of access to data which has been collected concerning him or her...”. This corresponds to the objective of the Regulation which is clearly outlined in recital 10 of the Regulation, that is, to ensure a consistent and high level of protection of natural persons within the European Union.
2. It has been repeatedly stated by the Court of Justice of the European Union (the “CJEU”) that this right is instrumental to the exercise of the other data subjects’ rights as set forth in the Regulation7, mainly articles 16 to 19, 21, 22 and 82. Notwithstanding this, the exercise of the right of access is an individual’s right and is certainly not conditional upon the exercise of other rights8.
3. Article 15(1) and (3) of the Regulation gives the fundamental right to data subjects to obtain from the controllers: (i) confirmation as to whether or not personal data concerning them are being processed and, if so, to receive information about the processing activity, and (ii) to receive a copy of the personal data being processed.
4. The CJEU’s Advocate General Pitruzzella in his Opinion explained that article 15(1) of the Regulation “gives specific expression to the right of access to personal data and related information, defining the precise subject matter of the right of access and the scope of application”, whereas article 15(3) of the Regulation “provides more details as to how that right is to be exercised, specifying in particular the form in which the controller must provide the data subject with personal data, that is to say, in the form of a copy and, therefore, a faithful reproduction of the data”9.

---

7 Case C-487/21, ‘FF vs Österreichische Datenschutzbehörde’, decided on the 4th May 2023: “In particular, that right of access is necessary to enable the data subject to exercise, depending on the circumstances, his or her right to rectification, right to erasure (‘right to be forgotten’) or right to restriction of processing, conferred, respectively, by Articles 16, 17 and 18 of the GDPR, as well as the data subject’s right to object to his or her personal data being processed, laid down in Article 21 of the GDPR, and right of action where he or she suffers damage, laid down in Articles 79 and 82 of the GDPR.” (para. 35).

8 European Data Protection Board, ‘Guidelines 01/2022 on data subject rights - Right of access’ (Version 2.0), adopted on the 28th March 2023 (para. 12).

9 Case C-487/21, Opinion of Advocate General Pitruzzella, delivered on the 15th December 2022, (para. 48 and 49).

1. Given that the right of access is an expression of article 8(2) of the Charter, it is formulated in very broad terms and, as a result, the CJEU adopted a wide interpretation of this article, with specific reference to the recent judgments delivered in 202310. This is naturally due to the fact that the right of access is the basis for guaranteeing the effective protection of the data subjects' right to the protection of their data. To this end, the controller should seek to handle the request in such a manner to give the broadest effect to the right of access.
2. It is evident from the wording of article 15 of the Regulation, that the law does not require the data subject to justify or give any reasons for a request under the Regulation, and any presumptions, suspicious or hypothetical conclusions which the controller may consider or reach as to what the data subject's reasons are or might be, should not affect the handling of that request as otherwise this would render the right of access futile and ineffective.
3. This is further supported by the interpretation provided by the EDPB in its Guidelines 01/2022 published in March 2023, which reads as follows: "[c]ontrollers should not assess "why" the data subject is requesting access, but only "what" the data subject is requesting ... and whether they hold personal data relating to that individual... [F]or example, the controller should not deny access on the grounds or the suspicion that the requested data could be used by the data subject to defend themselves in court in the event of a dismissal or a commercial dispute with the controller"11 [emphasis has been added].

Validity of ISTG 2021 as a Restriction

1. Recital 4 of the Regulation provides that the right to the protection of personal data is not an absolute right, and it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This has been reaffirmed by the CJEU in the judgment of Facebook Ireland and Schrems12.
2. The fundamental right to the protection of personal data may be subject to some limitations pursuant to article 52(1) of the Charter13. This therefore means that the limitations should be

---

10 Case C-487/21, 'FF vs Österreichische Datenschutzbehörde', decided on the 4th May 2023, & and Case C-154/21, 'RIW v Österreichische Post AG', decided on the 12th January 2023.

11 Ibid 8, para. 13.

12 Case C-311/18, 'Data Protection Commissioner vs Facebook Ireland and Maximillian Schrems', decided on the 16th July 2020 (para. 172).

13 Article 52(1) of the Charter provides that: "1. Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others."

provided by law, respect the essence of the rights and freedoms, and be necessary and proportionate to genuinely meet objectives of general interest or the need to protect the rights and freedoms of others. Therefore, a restriction should not be extensive and intrusive in such a manner that it would void a fundamental right of its basic content.

1. Whereas the Regulation does not define the term 'restrictions', the EDPB defines it "as any limitation of scope of the obligations and rights provided for in Articles 12 to 22 and 34 GDPR as well as corresponding provisions of Article 5 in accordance with Article 23 GDPR". The EDPB further provides that a "restriction to an individual right has to safeguard important objectives, for instance, the protection of rights and freedoms of others or important objectives of general public interest of the Union or of a Member State which are listed in Article 23(1) GDPR. Therefore, restrictions of data subjects' rights can only occur when the listed interests are at stake and these restrictions aim at safeguarding such interests"10 [emphasis has been added].

2. In this regard, the Commissioner noted the communication dated the 26th July 2024, wherein [REDACTED] informed the complainant that: "we have fulfilled your request for information under the GDPR in accordance with Article 15(1) GDPR and Sect. 6d (3) ISTG 2021 and provided them in commonly used and machine-readable format. Your request for information has thus been fulfilled entirely and we hereby consider your enquiry to be settled" [emphasis has been added]. Furthermore, in its submissions dated the 24th March 2025, the controller reiterated that the GlüStV 2021 should be regarded as a 'lex specialis' which should override the general provisions and requirements of the Regulation. However, the Commissioner completely rejects this argument. The Regulation constitutes the primary legal framework regulating the processing activities of the controller. While the Regulation allows Member States to introduce legislative measures in specific areas, such as in areas not exclusively regulated by the Regulation, such measures are intended to further implement and specify the Regulation, not to override it. The controller's interpretation, suggesting that any national law introduced under the Regulation may take precedence over the Regulation, is legally incorrect.

3. The Commissioner further noted that article 23(1) of the Regulation makes it abundantly clear that a controller may restrict a right of a data subject based on a "Member State law to which the data controller or processor is subject" and not based on the location of the data subjects, as the controller suggested. If the Regulation intended to apply restrictions based on the data subject's location, it would have explicitly stated so. Given that the controller's main establishment is located in Malta, the Commissioner determined that the Maltese law, together

with the Regulation, constitutes the applicable legal framework for the purpose of article 23 of the Regulation.

Restriction in terms of Subsidiary Legislation 586.09

1. The Commissioner further analysed whether the controller's reliance on regulation 4(e) of Subsidiary Legislation 586.09 was validly invoked as a restriction of the complainant's right of access. At the outset, the Commissioner observed that throughout the investigation, the controller did not submit any evidence that it had relied on regulation 4(e) of Subsidiary Legislation 586.09 when restricting the complainant's subject access request. The Commissioner noted that in the controller's reply to the complainant dated the 26th July 2024, the controller explicitly referred only to section 6d (3) ISTG 2021 and not to any provision of Maltese law, as the basis for restricting access. It was only during the course of the investigation and in submissions addressed to the Commissioner, that the controller invoked regulation 4(e) of Subsidiary Legislation 586.09, asserting that it "should also apply to this case, and this will be imminently communicated to the players in question".
2. Within this context, the Commissioner considered article 23(2)(h) of the Regulation, which provides that any legislative measure should contain specific provisions at least, where relevant, as to the "right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction". Regulation 6 of Subsidiary Legislation 586.09 states that the "data controller shall inform the data subject about any restriction provided for under these regulations". This is subject to the proviso, which reads as follow: "[p]rovided that such a disclosure will not be prejudicial to the purposes of the restriction applied pursuant to these regulations".
3. Without entering into the merits as to whether the restriction which the controller mentioned during the course of the investigation, was indeed necessary and proportionate, the Commissioner stresses that the controller should, as a general rule, always inform the data subject about restricting a fundamental right within the timeframe stipulated by law, and it is only in exceptional circumstances that the controller may have sufficient grounds not to disclose the information to the data subject. In fact, the EDPB in its Guidelines 10/202014 provides the following example:

"In other words, in extraordinary circumstances, for instance in the very preliminary stages of an investigation, if the data subject requests

---

14 Ibid 4

information if he or she is being investigated, the controller could decide not to grant that information at that moment - if this restriction is lawful and strictly necessary in the specific case to what would be prejudicial to the purpose of the restriction”15 [emphasis has been added].

1. In the present case, the Commissioner observed that the controller did not demonstrate that any such exceptional circumstances applied. This exemption, regulation 4(e) of Subsidiary Legislation 586.09, was not communicated to the complainant, nor did the controller provide a substantiated explanation as to why notification could not be given at the time of the access request.

Inapplicability of the Restriction in terms of Subsidiary Legislation 586.09

1. The Commissioner further analysed whether, even if the controller had properly invoked the restriction under regulation 4(e) of Subsidiary Legislation 586.09, such a restriction would in fact be applicable to the present case. In this regard, the Commissioner noted the scope of the obligation and right provided for in article 15 of the Regulation may be restricted by national legislation. To this effect, regulation 4(e) of Subsidiary Legislation 586.09 provides that “[a]ny restriction to the rights of the data subject referred to in Article 23 of the Regulation shall only apply where such restrictions are a necessary measure required: (e) for the establishment, exercise or defence of a legal claim and for legal proceedings which may be instituted under any law” [emphasis has been added].
2. Regulation 7 of Subsidiary Legislation 586.09 makes it abundantly clear that any restriction must be a “necessary and proportionate measure”, which effectively means that an assessment needs to be undertaken by the controller on a case-by-case basis to determine whether such measure is indeed “a necessary and proportionate measure”, rather than merely refusing to comply with a request.
3. The context within which the controller invoked the restriction could only be justified if the controller concretely demonstrates that the restriction is indeed necessary to defend a legal claim and legal proceedings which may be instituted by the complainant under any law. During the course of the investigation, the controller reiterated that that “some of the Complainants have not deposited or played any games on the Company’s website for a number of years. It is therefore hard to see any other reason for such Complainants to file a DSAR at this point in time, years after their last interaction with the Company, besides wanting the data

---

15 Ibid 4, para. 66.

in order to use it to file a legal claim against the Company", and that "[t]he Complainants' requests constitute part of a larger and wider pattern in Germany where a large number of players are filing DSARs only for the purpose of filing legal claims against the controller. These players no longer have any ongoing business relationship with the Controller or other interest in their data, except to file DSARs only for the aforementioned purpose. Especially against this background, there is no reason to believe that the Complainants have any other interest in the data than to use the data to file a legal claim against [the controller]".

1. The Commissioner does not consider this reasoning to be compliant with the objective of the restriction as set forth in regulation 4(e) of Subsidiary Legislation 586.09. The said regulation provides that the fundamental right of the data subject may only be restricted "for ... defence of a legal claim and for legal proceedings which may be instituted" [emphasis has been added]. This provision establishes a narrow scope for restricting a fundamental right, which may only occur when such restriction is demonstrable necessary for the purpose of achieving the intended objective.
2. The Commissioner therefore concludes that the controller failed to provide any evidence during the investigation to demonstrate that the restriction is necessary to defend a legal claim and, or legal proceedings, particularly when neither one of them had been instituted by the complainant. A restriction cannot be invoked based solely on the assumption that the complainant may, following the provision of the information, initiate any form of legal action against the controller. Consequently, the controller has not managed to effectively demonstrate that the restriction of a fundamental right is indeed a necessary measure.

3. The wording of regulation 4(e) is interpreted as covering the following scenarios in which the controller may be required to defend itself: (i) defence of a legal claim; and (ii) defence of legal proceedings which may be instituted under any law. The Commissioner's interpretation is that, although the two elements of the restriction, namely the defence of a legal claim and legal proceedings are related, they are not strictly cumulative. The first element, the defence of a legal claim, stands independently and does not necessarily depend on the existence of legal proceedings. This distinction is highlighted by the legislator's deliberate choice of the verb "may" in the phrase "legal proceedings which may be instituted". Accordingly, regulation 4(e) of S.L. 586.09 is interpreted to also apply in those scenarios where the restriction is necessary to enable the controller to defend an actual legal claim brought against it by the data subject, even if legal proceedings have not yet been initiated.

4. Without prejudice to the above, it must be emphasised that even in the eventuality that there is an actual legal claim and ensuing legal proceedings, for the restriction to apply, the controller shall demonstrate that the application of the restriction is indeed a necessary and a proportionate measure.

Necessity and Proportionality Test

1. The Commissioner further noted that pursuant to article 5(2) of the Regulation, the controller must be able to concretely demonstrate how the restriction is indeed necessary and if this part of the test is passed, the controller must proceed to show the element of proportionality. The case law of the CJEU emphasises that any limitation to the rights of the data subjects must pass a strict necessity test. In C-73/07, the CJEU held that “derogations and limitations in relation to the protection of personal data ... must apply only insofar as is strictly necessary”16 [emphasis has been added].
2. Thus, in his assessment, the Commissioner analysed the replies provided by the controller to the complainant, including the necessity and proportionality test conducted by the controller. Thus, in his assessment, the Commissioner examined the necessity and proportionality test as presented by the controller, which was framed exclusively by reference to regulation 4(e) of Subsidiary Legislation 586.09. In this context, the Commissioner observed that, in the controller’s initial reply to the complainant dated the 26th July 2024, the controller relied on section 6d (3) ISTG 2021, asserting that that the subject access request had been ‘fulfilled entirely’. The Commissioner therefore starts from the clear position that, at the time of the controller’s reply, the data subject’s right was partially restricted under section 6d (3) ISTG 2021, not under Maltese law, more specifically regulation 4(e) of Subsidiary Legislation 586.09 [emphasis has been added].
3. Consequently, the Commissioner concludes that the necessity and proportionality assessment relied upon by the controller concerned a legal basis different from that which was actually invoked when restricting the complainant’s right of access. As a result, the restriction applied to the complainant was not subject to the corresponding checks and balances inherent in such an assessment. Therefore, in the absence of a necessity and proportionality evaluation specifically addressing the restriction imposed under section 6d (3) ISTG 2021, the controller has failed to demonstrate compliance with the accountability principle enshrined in article 5(2) of the Regulation.

---

16 Case C-73/07, ‘Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and Satamedia Oy’, decided on the 16th December 2008, (para. 56).

On the basis of the foregoing considerations, the Commissioner is hereby deciding that the controller has infringed article 5(2) of the Regulation by failing to demonstrate that the restriction applied was lawful, necessary and proportionate in accordance with the accountability principle. Specifically, the controller erroneously relied upon section 6d (3) of the ISTG 2021, a provision of the German law to which it is not subject, rather than the applicable legal framework consisting of the Regulation and Maltese law. Furthermore, the controller failed to properly invoke any valid restriction under Maltese law at the time of responding to the complainant's request and subsequently failed to demonstrate that any such restriction would have been necessary and proportionate to the specific circumstances of this case. These failures directly resulted in an infringement of the complainant's fundamental right of access under article 15 of the Regulation.

In accordance with his corrective powers pursuant to 58(2)(c) of the Regulation, the controller is hereby being ordered to comply with the request by providing the complainant with the information prescribed under article 15(1)(a) to (h) of the Regulation, as well as a “copy of the personal data undergoing processing”, pursuant to article 15(3) thereof at the time of receipt of the request, which was missing from the initial reply.

The controller shall comply with this order without undue delay and by no later than twenty (20) days from the date of service of this legally binding decision and inform the Commissioner of the action taken immediately thereafter.

Non-compliance with this order shall lead to an administrative fine in terms of article 83(6) of the Regulation.

After considering the nature of the infringement, the controller is hereby being served with a reprimand pursuant to article 58(2)(b) of the Regulation and warned that, in the event of a further similar infringement, the appropriate corrective action shall be taken accordingly.

lan

DEGUARA

(Signature) Digitally signed

by lan DEGUARA

(Signature)

Date: 2026.01.07

15:53:06 +01'00'

Ian Deguara

Information and Data Protection Commissioner

Right of Appeal

In terms of article 26(1) of the Data Protection Act (Cap 586 of the Laws of Malta), “any person to whom a legally binding decision of the Commissioner is addressed, shall have the right to appeal in writing to the Tribunal within twenty days from the service of the said decision as provided in article 23”.

An appeal to the Information and Data Protection Appeals Tribunal shall be made in writing and addressed to 'The Secretary, Information and Data Protection Appeals Tribunal, 158, Merchants Street, Valletta'17.

---

17 More information about the appeals procedure is available here.

IDPC Doc 1:

A large black rectangular redaction box covers the central portion of the page, obscuring all text and graphics that might have been present. The box is solid black and occupies approximately 80% of the page's vertical space and most of its width.

A large black rectangular redaction box covering the majority of the page content.