The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
May 25th 2018.
According to GDPR, personal data is:
“Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.”
This means that not only is personally identifiable information like the user’s name, email address, or device ID (IDFA/GAID) personal data, but any data we can associate with one person, even if we cannot identify that person in the real world.
The most important consequence of this is that any data associated with one individual (or an ID referring to one individual, even if it is a randomly generated ID) is personal data – including actions they have taken in a game, such as starting the tutorial, picking a character, beginning or ending a session.
Because we both store, process, and enable game developers to use the data we collect (i.e. via segmentation, A/B tests, etc.) we are both a data processor and a data controller under GDPR.
Yes, as long as the user (game developer or player) has consented to their data being collected and used for analytics and marketing purposes.
The way we obtain consent differs by the type of audience.
Under GDPR, consent is: “Consent must be freely given, specific, informed and unambiguous. Informed consent means that you must be given information about the processing of your personal data”.
Consent for marketing purposes is essential to power some Gamers4Life.ca features – such as website features, development, and advertising.
If a game developer is selected for an audit and we find that they do not collect consent, we will provide a term of 30 days for them to remediate the situation, before blacklisting them. At the end of the 30 days we will check in with the developer to see if appropriate measures have been implemented. If the game developer requests an extension of term, this can be provided (dependent on review), up to a total of 30 days.
Yes, if appropriate safe guards are in place. Our data resides in closed-circuit dedicated servers which meet both GPDR and PIPEDA specifications.
According to GDPR, data must be stored for as little time as possible, and individuals must be clearly informed for how long their data will be retained.
“You must store data for the shortest time possible. That period should take into account the reasons why your company/organisation needs to process the data, as well as any legal obligations to keep the data for a fixed period of time (for example national labour, tax or anti-fraud laws requiring you to keep personal data about your employees for a defined period, product warranty duration, etc.). Your company/organisation should establish time limits to erase or review the data stored. By way of an exception, personal data may be kept for a longer period for archiving purposes in the public interest or for reasons of scientific or historical research, provided that appropriate technical and organisational measures are put in place (such as anonymisation, encryption, etc.). Your company/organisation must also ensure that the data held is accurate and kept up-to-date.”
For player data the retention period will be at most 36 months after we receive the request – we will endeavor to expedite this process.
The removal of requested raw data older than 36 months will start Jan 1, 2022.
For game developer’s data – the interval may vary depending on whether the account is still active.
Want your data deleted? Use this form.