GamStop Data: What Information Is Stored

When you register with GamStop, you hand over a set of personal details that the system uses to enforce your self-exclusion across every UKGC-licensed gambling operator. That data is not stored passively — it is actively shared, continuously matched, and retained for years beyond the end of your exclusion period. GamStop holds your data to enforce your decision, and the scope of that data handling is broader and longer-lasting than most people realise when they fill in the registration form.

Understanding what information GamStop collects, who it is shared with, how long it is kept, and what rights you have over it is not just a matter of curiosity. It is a practical question with implications for your privacy, your relationship with gambling operators, and your ability to control how your personal information is used after the exclusion ends.

What Data GamStop Collects

The data you provide during GamStop registration is the foundation of the self-exclusion system. Every piece of information serves the matching algorithm — the process by which operators identify your accounts and block them. The core data points are consistent across all registrations.

Full name. Your legal name, as entered during registration. This is the primary identifier in the matching process. If you provided a middle name, it is stored. If you used a shortened version of your first name, that is what GamStop holds. The name does not automatically update if you change it legally — you would need to contact GamStop to amend the record.

Date of birth. Used alongside your name as a core matching field. Name plus date of birth is the strongest identifier combination in the GamStop system, and it forms the basis of most matching checks that operators run against their customer databases.

Email addresses. GamStop allows you to register multiple email addresses, and each one is stored and shared with operators. Email is a key matching field because gambling accounts are typically registered with an email address, making it one of the most reliable data points for identifying accounts that belong to you. If you provided three email addresses during registration, all three are part of the matching dataset.

Postal addresses. Your home address at the time of registration, and any additional addresses you provided. Address matching helps operators identify accounts that were registered using your residential details, particularly when name and email combinations alone are not sufficient. Multiple addresses — current and previous — can be included to improve matching accuracy.

Phone numbers. Your mobile or landline number as provided during registration. Phone number matching provides an additional data point for operators, though it is generally considered a secondary matching field compared to name, date of birth, and email.

Exclusion details. GamStop stores the specifics of your self-exclusion: the period you selected, the date the exclusion began, the date it is due to expire, and the status of the exclusion — whether it is active, expired, or removed. This operational data is essential for the system to function: operators need to know not just who is excluded, but for how long and whether the exclusion is currently in force.

Interaction records. GamStop maintains records of your interactions with the service — phone calls, emails, removal requests, identity verification outcomes, and any changes to your registration. These records support the administration of the scheme and provide an audit trail that can be referenced if disputes arise.

The volume of data is not enormous — it is a set of personal identifiers plus administrative records — but its sensitivity is significant. This is a dataset that identifies you as someone who self-excluded from gambling, and it is shared widely across the gambling industry. The handling of this data is governed by UK data protection law, which brings specific obligations for GamStop and the operators who receive it.

How Your Data Is Shared

GamStop shares your registration data with every gambling operator that holds a UKGC remote licence (Gambling Commission). This is not selective sharing — it is a broadcast to the entire regulated market. The Gambling Commission requires all remote licensees to participate in GamStop, which means all of them receive access to the database of self-excluded individuals and are required to check it against their customer records.

The data sharing is facilitated through an API integration. Operators connect to the GamStop database and run checks — either in real time or in batch processes — to identify customers whose details match a self-excluded person’s record. The API returns match results that the operator uses to take action: closing accounts, blocking registrations, and removing marketing communications.

The legal basis for this data sharing is compliance with a legal obligation. The UKGC’s licence conditions require operators to participate in GamStop, and GamStop’s processing of your data is necessary to fulfil the purpose of the self-exclusion scheme. Under the UK GDPR, this constitutes a lawful basis for processing — your data is shared not because you consented to broad data distribution, but because the regulatory framework requires it for the scheme to function.

Operators who receive your data are themselves subject to data protection obligations. They must use the data solely for the purpose of enforcing self-exclusion and related responsible gambling obligations. Using GamStop data for marketing purposes, selling it to third parties, or repurposing it for commercial activities outside the scope of self-exclusion would constitute a breach of data protection law. In practice, operators integrate GamStop data into their responsible gambling systems and handle it under the same data protection frameworks that govern the rest of their customer data.

One nuance worth noting: when your exclusion is removed, operators are still informed that you were previously self-excluded. This notification persists for seven years after removal, meaning your prior self-exclusion status is visible to the industry for a substantial period beyond the end of your exclusion. Operators may use this information to apply enhanced responsible gambling measures to your account, and some may factor it into their decision about whether to reactivate your account at all.

How Long Your Data Is Retained

GamStop retains your data for significantly longer than the exclusion period itself. The retention timeline extends through three phases: the active exclusion, the post-expiry period, and the post-removal notification period.

During the active exclusion, your data is held and actively shared with operators. This is the period you selected — six months, one year, or five years — plus any extensions resulting from auto-renewal or the seven-year post-expiry default. Throughout this time, operators are receiving and acting on your data continuously.

After removal, your data is retained for an additional seven years. During this period, operators can still be informed that you were previously self-excluded. The data remains in GamStop’s system in a different status — removed rather than active — but it is not deleted. This seven-year retention aligns with the notification period during which operators may apply enhanced monitoring to previously self-excluded customers.

After the seven-year post-removal period, GamStop’s data retention is governed by its privacy policy. The specific retention periods for different categories of data should be outlined in GamStop’s published privacy documentation, available on their website. In general, regulatory and compliance records may be retained for longer periods than personal identification data, but the details are subject to GamStop’s own data management practices and any regulatory requirements imposed by the Gambling Commission.

Deletion requests are a legitimate exercise of your rights under the UK GDPR, but they are subject to exceptions. The right to erasure does not apply where the data processing is necessary for compliance with a legal obligation — and since GamStop’s data processing is underpinned by regulatory requirements, a deletion request during an active exclusion or the post-removal notification period is likely to be refused on legal grounds. After the retention period ends, the grounds for refusal weaken, and a deletion request may be more readily accommodated.

Your Data Rights Under GDPR

The UK GDPR grants you several rights in relation to your personal data, and these rights apply to the data GamStop holds about you. The most practically relevant rights are access, rectification, and — with the caveats noted above — erasure.

The right of access allows you to request a copy of all personal data GamStop holds about you. This is sometimes called a Subject Access Request. GamStop is required to respond within one month, providing you with the data they hold, the purposes for which it is processed, and the categories of recipients who have received it. Submitting a SAR is a useful step if you want to understand exactly what is in your GamStop record — particularly if your personal details have changed and you want to verify what the system holds.

The right to rectification allows you to request corrections to inaccurate data. If GamStop holds an outdated address, a misspelled name, or an incorrect email address, you can ask for it to be corrected. This is especially relevant for improving the accuracy of the matching process — incorrect data could either create gaps in your exclusion or cause false matches with other individuals.

Your data built the block. The GDPR gives you the right to see what GamStop holds, to correct it if it is wrong, and — when the retention obligations expire — to ask for it to be deleted. Exercising these rights starts with a written request to GamStop, which can be submitted by email. The process is administrative, not adversarial, and GamStop is legally obligated to respond.