Mobile applications are one of the two areas covered by the President of the Personal Data Protection Office's 2022 inspection plan for the private sector. Unfortunately, game developers often fail to realize how much personal data they process, beyond that of employees or contractors, which results in them disregarding legal requirements in this area, primarily the GDPR*.

What data can be processed?

By definition, personal data means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, etc. The scope of personal data processed in a given game can vary, but several main categories can be distinguished**:

a) User account data – e.g. name, surname, image, address
b) Payment data – e.g. related to micropayments
c) Data on technical parameters of hardware and software – e.g. hardware specifications, IP addresses, MAC addresses, UDID
d) Data on player activity in the game – e.g. the most common player settings, selected options
e) Customer service data – e.g. complaints and problems reported by players regarding bugs, other player’s behavior, error reports, etc.
f) In-game communication data – e.g. from chats
g) Player statistical data – e.g. for the purposes of creating rankings

Selected duties

A Personal Data Controller must comply with numerous obligations and principles outlined in the GDPR. A few of these are listed below.

Lawfulness of processing – every process involving personal data processing must be based on a proper legal basis. It is wrong to excessively collect consent when it is not necessary. Other applicable grounds include necessity for the performance of a contract or the legitimate interest of the controller.

Information obligation – every player or user must be informed about a number of issues related to personal data. This information must be provided no later than the time of data collection. Therefore, how and when the message or privacy policy is displayed must be carefully designed.

Child Use – When collecting personal data from children, as is often the case with games, additional requirements are imposed. These include using simple and clear language and sometimes verifying that the parent has consented to data processing.

Risk Based Approach

The implementation of any project involving the processing of personal data must be based on a risk assessment. This assessment demonstrates (as required by the accountability principle) that appropriate technical and organizational measures have been implemented to ensure lawful processing. The general requirement to monitor risks to rights and freedoms arises from Article 24(1) of the GDPR.

Furthermore, Article 25 of the GDPR requires a risk assessment to be conducted at the design stage of a given process. This assumption serves to verify whether the planned measures to implement the requirements are adequate to the level of identified risks that may be associated with data processing. Such a preliminary assessment also allows for the assessment of whether a given situation may require a data protection impact assessment (DPIA), i.e., the so-called "in-depth risk analysis" regulated in Article 35 of the GDPR.

Conducting a risk analysis and data protection impact assessment should be considered primarily to help organizations identify sensitive areas most vulnerable to adverse effects. This will allow them not only to ensure compliance with regulations but, above all, to prioritize those process elements that require more effective security measures and greater technical and organizational resources. Additionally, the organization verifies whether users can effectively exercise their rights and freedoms (e.g., withdrawing consent, updating or rectifying data, the right to object, the right to data portability, etc.).

This alert is for informational purposes only and does not constitute legal advice.

* Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L. of 2016, No. 119, p. 1, as amended).
** E. Lejman-Widz, “Personal data protection in the gaming industry. What you need to remember”, Euro Info Bulletin 10 (213) 2021

author:


|

series editor:


|

    Have any questions? Contact us – we'll respond as quickly as possible.

    Post Views: 12