GDPR Resources

Disclaimer

Nothing in this website is intended to be nor should be construed as legal advice.
This is an educational project created by students. Please consult your lawyer for legal advice.

1. Lawful Basis for Data Processing

What is Lawful Data Processing?

When you handle player data (like usernames, gameplay behavior, or in-game purchases), you must follow strict rules to ensure it’s done legally and responsibly. This includes understanding when and how you’re allowed to process data.

Article 5
  • Lawful and Transparent
    • Always tell players what data you’re collecting and why.
  • Specific Purpose
    • Only collect data for specific game features (e.g., saving progress, matching players) and do not use it for unrelated tasks without permission.
  • Minimized Data
    • Gather only what’s necessary. For instance, you don’t need a player’s full address to send in-game rewards.
  • Accuracy
    • Keep data up-to-date, inaccurate data should be fixed or erased.
  • Storage Limits 
    • Don’t keep data longer than necessary. For example, delete inactive accounts after a set period.
  • Security First
    • Protect player data from breaches with strong encryption and secure servers.

You must have one of these reasons:

Article 6
  1. Player Consent
    • The player agrees to data use (e.g., for personalized recommendations).
  2. Contracts
    • The data is necessary for a feature they signed up for (e.g., account creation).
  3. Legal Obligation
    • You’re following a law (e.g., verifying age for gambling-related content).
  4. Vital Interests
    • Protecting someone’s safety (e.g., banning harmful content).
  5. Public Interest
    • Rare for games but applies to broader public services.
  6. Legitimate Interests
    • The data use benefits your game but doesn’t harm player rights (e.g., analytics to improve gameplay).
Article 8
  1. Kids under 16 need parental approval to share personal data. Some regions allow this at 13, so check local laws.
  2. Make reasonable efforts to confirm the consent is genuine.

2. Transparency and Privacy Notices

Under GDPR, you must be open and clear about how personal data is collected, used, and stored. This ensures that users, especially children, understand their rights and can trust your game.

Article 12, Recital 58
  • Simple and Clear Language
    • All information must be easy to read, avoiding legal jargon. For children, use language they can understand.
  • Accessibility
    • Make privacy notices easy to find, such as a link in your game’s settings or during account sign-up.
  • Formats
    • Provide information in writing or electronically. You can also use visuals, like icons or diagrams, to explain how data is used.
Article 13
When You Collect Data from Users 
  • Explain who you are (the data controller)
  • Why you are collecting their data (purpose).
  • How long you will keep their data.
  • Their rights, such as withdrawing consent or accessing/deleting data.
  • Any use of automated decision-making (e.g., for in-game profiling).
  •  
When You Get Data from Others 
  • Be transparent if you use third-party data (like analytics tools)
  • Explain where the data came from and why it’s being used.
  •  
  • Share privacy details as soon as you collect data or, at the latest, during the first interaction (e.g., during account creation).
  • If you’re collecting data from another source, disclose this within one month.
  • Highlight key points in a “Privacy Summary” section, then link to the full notice.
  • Use tooltips or pop-ups during gameplay to explain data collection (e.g., “We collect this data to save your progress!”).
  • For children’s games, include a visual guide or animation explaining privacy.
  • Respond to user requests (like access to their data) within one month.
  • If you can’t comply, explain why and let them know they can file a complaint.

3. Data Minimization and Purpose Limitation

Under GDPR, you must handle players’ personal data responsibly by collecting only what you need and using it only for clear and specific reasons.

Article 5(1)(b)
1. Purpose Limitation
  • Collect personal data only for specific, legitimate purposes (e.g., creating player accounts, saving game progress).
  • Don’t use the data for anything unrelated to those purposes unless the new use is compatible (e.g., for research or improving your game).
2. Data Minimization
  • Collect only the data you absolutely need (e.g., don’t ask for a player’s address if it’s not necessary for gameplay).

4. User Rights (Access, Rectification, Deletion, Portability)

Article 15
  • Information Request
    •  Users have the right to confirm whether their data is being processed and access information such as the purpose of processing, categories of data, recipients, storage period, and rights to rectification, erasure, or complaint.
  • Third-Country Transfers
    • Users must be informed about safeguards if their data is transferred internationally.
  • Copies of Data
    •  Controllers must provide a copy of personal data, free initially but with reasonable charges for additional copies.
Article 16
  • Users can request corrections to inaccurate data and complete incomplete data without undue delay
Article 17
  • Erasure Requests
    • Users can request deletion if data is no longer needed, consent is withdrawn, processing is unlawful, or required by law.
  • Public Data
    • Controllers must take reasonable steps to inform others to erase public copies of the data.
  • Exceptions
    • Erasure is not required for freedom of expression, legal obligations, public health, research, or legal claims.
Article 20
  • Data Transfer
    • Users can receive their data in a structured, machine-readable format and transfer it to another controller.
  • Direct Transfers
    • If technically feasible, users can request direct transfers between controllers.
  • Limitations
    • Portability doesn’t override public interest tasks or others’ rights and freedoms.

5. Security and Data Protection Measures

When handling player data, you need to ensure it’s securely stored and processed. This means preventing unauthorized access (like hackers breaking in) and accidental loss (like data being deleted by mistake).

Article 5(1)(f) & 32
1. Secure Storage and Processing 
  • Set up a data system with strong safeguards so it can’t be easily hacked or damaged.
    • Example: Store player data on a private server with encryption (not an open, easily accessible system).
  • Protect data from accidental loss, like deleting it when cancelling a service.
  • Take additional measures based on the type and risk of the data
    • Encryption: Convert data into a secure format that can only be accessed with a key.
    • Regular System Checks: Monitor for leaks and test the resilience of your systems.
    • Data Recovery Plans: Create backups so you can restore lost data in emergencies.

 

Pro Tip: Think about the potential harm if the data were leaked or lost. For example, losing player emails may not be as critical as leaking their payment information.

Article 33

If your data is stolen, leaked, or lost, here’s what you need to do

  • Notify Authorities:
    • Report to the country’s supervisory authority (find your contact here).
    • Do this within 72 hours of discovery—or explain why you’re late.

 

  • Provide These Details:
    • What happened (e.g., a hacking attempt or server crash).
    • How many users and records were affected (if known).
    • Contact info for the person handling the breach (e.g., your Data Protection Officer).
    • Possible consequences of the breach.
    • Steps you’ve taken or plan to take to stop the breach and limit damage.

 

Can’t provide all the details immediately? Send updates as soon as you can. Also, document the incident for future audits.

Article 34

You’ll also need to let players know if their data has been compromised—but only if the breach could significantly affect them. Here’s what to include

  • What happened and how it might impact them.
  • Any steps you’re taking to mitigate risks.
  • Contact information for further questions.

 

When You Don’t Need to Notify Players:

  • If the data was encrypted and unreadable to outsiders.
  • If you’ve taken steps to eliminate the risk to players.

6. Data Protection by Design and by Default

What Does “Data Protection by Design and by Default” Mean?

When building your game or platform, you must prioritize player privacy and data security from the start. This means designing features and processes that protect personal data and ensure players’ privacy automatically, without needing extra steps.

Article 25
  1. Privacy by Design
  • Plan privacy into your game development process.
  • Use tools like encryption or pseudonymization to make personal data harder to misuse.
  • Example: If you store player statistics, ensure they’re anonymized unless linked to an account for gameplay purposes.

 

  1. Privacy by Default
  • Default settings should always protect players’ data.
  • Collect only what’s absolutely necessary for a feature. For example:
    1. ✅ A leaderboard needs a username, not an email address.
    2. ❌ A signup process that pre-selects “share data with third parties” violates this principle.
  • Limit who can access personal data and how long it’s stored.

 

  1. Scalability and Practicality
  • The level of protection should match the risks. For example, handling child data in your game requires stricter safeguards than handling non-personal data like game analytics.

 

  1. Ongoing Accountability
  • Demonstrate compliance with privacy principles using certification mechanisms, if available.

7. Managing Third Party Providers

Cross-Border Data Transfers in Gaming: GDPR Requirements for Game Developers

When handling player data, particularly transferring it across borders (e.g., to servers outside the EU), developers must comply with GDPR rules outlined in Articles 28-9 and 44-50. These ensure data privacy, accountability, and lawful processing.

Article 28 & 29

If you outsource data processing (e.g., using cloud hosting or analytics services), you must:

Choose Processors Wisely

Only engage processors (e.g., hosting platforms or payment processors) that:

  • Provide sufficient guarantees to implement GDPR-compliant measures.

  • Offer technical and organizational safeguards, especially for cross-border transfers.

Sign Processor Agreements (DPA)

Every contract with a processor must define:

  • The scope, purpose, and duration of processing.

  • Security measures (e.g., encryption, access controls).

  • Processor obligations, such as assisting in compliance (e.g., responding to data subject requests).

Ensure Sub-Processor Compliance

If processors use sub-processors (e.g., a cloud provider in another country), you must ensure:

  • Sub-processors also comply with GDPR requirements.
  • Transfers outside the EU meet conditions in Articles 44-50 (e.g., SCCs or adequacy decisions).
  •  
Article 45

Adequate Protection in the Destination Country

  • Transfer is permitted if the EU deems the destination country’s data protection laws “adequate” (e.g., Japan, South Korea).

Appropriate Safeguards 

If no adequacy decision exists, you can transfer data if safeguards like these are in place:

  • Standard Contractual Clauses (SCCs): Pre-approved clauses ensuring GDPR-level protection.

  • Binding Corporate Rules (BCRs): Rules for intra-company data sharing.

  • Certifications: Adhering to EU-approved codes of conduct.

Derogations for Specific Transfers 

If adequacy or safeguards aren’t feasible, rely on:

  • Explicit Player Consent: Inform players of risks before obtaining consent.

  • Contract Necessity: Essential for game features (e.g., matchmaking).

  • Public Interest or Vital Interests: Rare in gaming but allowed in emergencies.

Article 28 & 29

Data Controllers’ Obligations

As the controller (e.g., a game studio), you must ensure:

  • Monitoring of Processors: Conduct regular audits and compliance checks.

  • Clear Record-Keeping: Document processing activities and decisions, especially for cross-border data.

Prohibited Transfers 

Third-country demands for data (e.g., court orders) are unenforceable unless supported by:

  • International Agreements: Such as MLATs, ensuring GDPR rights aren’t overridden.

Article 50

GDPR promotes collaboration with international data protection authorities to:

  • Enforce laws globally.

  • Facilitate mutual assistance (e.g., complaint handling, investigative support).

Practical Steps for Developers

  1. Evaluate Processors
    • Use GDPR-compliant partners for hosting, analytics, or payment processing.
  2. Secure Safeguards
    • Draft robust DPAs and ensure SCCs or other mechanisms for non-EU transfers.
  3. Be Transparent
    • Inform players where data is stored and processed.
  4. Monitor Compliance
    • Conduct periodic audits of processors and sub-processors.
  5. Document Transfers
    • Maintain records of all cross-border data activities.

8. Data Transfers Outside the EU

GDPR Protection Follows the Data

If you’re dealing with European users’ data and want to transfer it outside the EU, GDPR requires that the same level of protection travels with the data. This applies whether you or your data processors are based inside or outside the EU.

Article 45

You’re in luck if your destination country or territory has been approved as “safe” by the European Commission because their laws provide sufficient data protection.

  • What This Means
    • No extra paperwork or approval is needed. Just go ahead and transfer the data.
    • Approved countries are listed on the European Commission website.

 

Key Tip
The list changes, so check it periodically to ensure your destination remains approved.

Article 46

If there’s no adequacy decision for your destination, you can still transfer data by ensuring it’s protected through appropriate safeguards.

 

Here are your options:

a) Standard Contractual Clauses (SCCs)

These are pre-approved contract templates that you include in your agreements.

  • Use them to establish the rules for how the data will be protected.
  • Download SCCs directly from the European Commission.

 

b) Binding Corporate Rules (BCRs)

These are detailed rules your company or group of companies must follow for internal data transfers.

  • Steps to Use BCRs
    1. Get them approved by your local Data Protection Authority (DPA).
    2. Ensure they include
      • Legal enforceability across all involved entities.
      • Rights for individuals (e.g., access or deletion of their data).
      • Details on which data is transferred, why, and how it’s processed.
      • Clear responsibilities for compliance, complaint handling, and audits.
      • Cooperation mechanisms with the DPA.
      • Training for employees handling data.
Article 49

When neither adequacy decisions nor safeguards apply, exceptions (derogations) may allow you to transfer data.

  • Explicit Consent
    If the individual agrees to the transfer after being told all the risks.
  • Contract Performance
    If the transfer is necessary to fulfill a contract with the individual (e.g., sending data to a partner abroad).
  • Legal or Vital Necessity
    If the transfer is needed to protect someone’s vital interests (e.g., medical emergencies).
Article 48

If a third-country government asks for data, don’t hand it over unless

  1. There’s an international treaty in place (e.g., a mutual legal assistance treaty).
  2. The request complies with EU law.
Article 50

To streamline global data flows while protecting privacy, the EU and DPAs actively:

  • Build partnerships with third countries.
  • Share best practices and offer mutual assistance for data protection enforcement.

9.⁠ ⁠In-Game Profiling and Automated Decision-Making

Article 13 & 14

When collecting personal data, you must clearly inform users (or parents for children)

  • Who you are
    • Studio name, contact details, and your Data Protection Officer’s contact (if applicable).
  • Why you’re collecting data
    • E.g., to improve gameplay, personalize features, or enable payments.
  • Legal basis
    • Consent, contract fulfillment, or other lawful reasons.
  • Who receives the data
    • Third-party advertisers, analytics platforms, or payment processors.
  • How long you’ll keep it
    • Specify retention periods or criteria.
  • Automated decisions 
    • Explain profiling or decision-making processes, such as personalized recommendations.
  • Data transfers outside the EU
    •  Mention safeguards for cross-border transfers.

 

When to inform
At data collection or, if indirect, within one month or at first interaction.

Article 22

If your game makes significant decisions using algorithms (e.g., banning accounts, pricing, or personalized content)

  • Explain the process
    •  Share how decisions are made (e.g., “We use play data for difficulty adjustments”).
  • Player rights 
    • Allow users to challenge decisions or request human review.
  • When it’s allowed
    •  Only if needed for contracts, based on consent, or required by law.
Notes

When neither adequacy decisions nor safeguards apply, exceptions (derogations) may allow you to transfer data

  • Explicit Consent
    • If the individual agrees to the transfer after being told all the risks.
  • Contract Performance
    • If the transfer is necessary to fulfill a contract with the individual (e.g., sending data to a partner abroad).
  • Legal or Vital Necessity
    • If the transfer is needed to protect someone’s vital interests (e.g., medical emergencies).

10.⁠ ⁠Record-Keeping and Accountability

Article 5(2)
  • The data controller is responsible for following GDPR rules and must prove compliance. This principle is called “accountability.”
Article 24
  • The controller must put in place technical and organizational measures to ensure compliance with GDPR.
  • These measures should:
    • Reflect the nature, scope, context, and purpose of the data processing.
    • Consider the likelihood and severity of risks to individuals’ rights.
  • Regularly review and update these measures to keep them effective.
  • Additional Steps to Demonstrate Compliance:
    • Implement data protection policies where relevant.
    • Follow approved codes of conduct (Article 40) or certification mechanisms (Article 42).
Article 30
Controllers

Controllers must maintain detailed records of processing activities, including

  1. Contact Details
    •  Information about the controller, joint controllers, representatives, and Data Protection Officer (DPO) (if applicable).
  2. Purpose
    • Reasons for processing personal data.
  3. Data Categories
    •  Types of data subjects and personal data being processed.
  4. Recipients
    • Who the data is shared with, including any international recipients.
  5. Data Transfers
    • Details of any transfers to other countries or international organizations, with safeguards for protection.
  6. Retention Periods (if possible)
    • Time limits for keeping each data type.
  7. Security Measures (if possible)
    • General overview of measures protecting data (e.g., encryption, access controls).

 

Processors

Processors must keep records of processing activities carried out on behalf of controllers, including

  1. Contact details (processor, controllers, representatives, and DPO, if any).
  2. Types of processing performed for each controller.
  3. Information on international data transfers and safeguards.
  4. General description of security measures (if possible).

 

Format and Access

  • Records must be written (electronic format is acceptable).
  • Supervisory authorities can request these records at any time.

 

Small Organizations Exception

  • Organizations with fewer than 250 employees are exempt unless:
    • Processing poses risks to individuals’ rights.
    • Processing is regular or involves sensitive data or criminal data.
Article 35

When processing is likely to involve high risks to individuals’ rights, the controller must conduct a DPIA before starting.

This applies to:

  1. Automated decision-making (e.g., profiling) with significant impacts on individuals.
  2. Large-scale processing of sensitive or criminal data.
  3. Systematic monitoring of public areas.

 

The DPIA must include:

  • A detailed description of the processing activities and their purposes.
  • An analysis of whether the processing is necessary and appropriate.
  • A risk assessment for individuals’ rights.
  • Measures to address and mitigate these risks (e.g., safeguards, security).

 

Consultation and Transparency:
  • Seek advice from the DPO, if applicable.
  • Engage with data subjects or representatives where appropriate, without compromising security or commercial interests.

 

Supervisory Authority Guidance:
  • Supervisory authorities will list processing activities that require or exempt a DPIA.
  • Controllers must review and update DPIAs if the risks or processing conditions change.
  •