Install Steam
login
|
language
简体中文 (Simplified Chinese)
繁體中文 (Traditional Chinese)
日本語 (Japanese)
한국어 (Korean)
ไทย (Thai)
Български (Bulgarian)
Čeština (Czech)
Dansk (Danish)
Deutsch (German)
Español - España (Spanish - Spain)
Español - Latinoamérica (Spanish - Latin America)
Ελληνικά (Greek)
Français (French)
Italiano (Italian)
Bahasa Indonesia (Indonesian)
Magyar (Hungarian)
Nederlands (Dutch)
Norsk (Norwegian)
Polski (Polish)
Português (Portuguese - Portugal)
Português - Brasil (Portuguese - Brazil)
Română (Romanian)
Русский (Russian)
Suomi (Finnish)
Svenska (Swedish)
Türkçe (Turkish)
Tiếng Việt (Vietnamese)
Українська (Ukrainian)
Report a translation problem
Discussions Rules and Guidelines
Report this post
I'm sorry to inform you Sam, but you are actually mistaken on several of the points you've listed in this thread regarding consent and Privacy when concerning EU citizens, and quite frankly your patronising tone toward some members is completely misplaced and undeserved, especially given the fact that it is absolutely clear this is not an area you have professional experience in - I apologise for being blunt, but someone needs to take you back down from the clouds as you are frankly making 2k look ridiculous now.
Expressed consent (not just assumptive consent by means of 'notification') is legally required, such has been the way even before the recent change in privacy regulation in Europe. The main differences is that data controllers can be fined greater amounts & now have to be even more transparent in regards to the details in how they may use and/or handle personal data, sensitive or otherwise. This is why the EULA will no longer contain a "generalised statement", which it did previously.
Furthermore, it is an individuals absolute and fundamental right to object to such processes and they maintain the right to withdraw from it at any given time by notification in writing. If an individual requests further clarification on the topic, that too is also legal requirement for the company, as a data controller, to fulfil in a timely manner. Such requests do not need to be written in legal jargon, nor directly cite the regulation in effect to make them valid for such a case.
Though, I do note that - to my surprise - the company now claims to store financial and payment information that can be linked to a specific individual; and that such information may be transmitted to and within countries that have less regulation for privacy policy. In light of this, there is fundamentally no reason whatsoever that the company would require to keep a copy of my sensitive payment information beyond the name on my card, the last 4 digits of my card number, the type of card, the time & date(s) of purchases, the relevant sums due and/or paid.
Can you please provide a list of the names for each country that such information may be processed, stored or otherwise used in - and can you also please confirm the specifics regarding the 'payment/financial information' that is referenced in the EULA. If for any reason whatsoever, you are not in a position to provide a legally binding response for and on behalf of the company, then please make me aware at your earliest convenience; otherwise I am right to conclude that your content on this thread is fully endorsed by the company.
Thanks.
Multiple legal reasons for processing personal data have been in place in Europe prior to GDPR. Legislators have always recognised that there are multiple reasons to process personal data; consider how would a bank report a non-paying consumer to a credit rating agency? Few consumers would consent to that processing; so legislators have always allowed other legal reasons.
European residents may withdraw consent, but processing can continue if the processing was based on a different legal reason. For example a resident cannot withdrew 'consent' for a municipality processing of the resident's crimilar record. (Article 10)
Regarding clarification on the [processing] topic and consent, Article 7 of the GDPR declares that consent must be obtained 'in an intelligible and easily accessible form, using clear and plain language.' https://gdpr-info.eu/art-7-gdpr/
The GDPR does not mandate that specific countries where processing is performed are named. Companies need only declare if the processing, storage or access will occur from outside the European Economic Area. If so, there are requirements to determine adequacy that must be performed (GDPR Articles 45 and 46). So even if a US company is storing European data in the USA, and using off-shore resources in India to access the data, that processing, storage, and access must be performed compliant with GPDR, notably Articles 30 and 32.
Regarding 'payment/financial information', as a European resident you have a right to obtain a copy of all personal data a company holds about you. You can contact privacypolicy@take2games.com and request a copy of the exact data they hold about you. You also have a right to correct the data. You can have the data deleted if processing the data is not allowable under another condition.
SamBC is not an employee of 2K Games or their parent company Take-Two Interactive Inc. so I'm not sure why you would ask him for this information, or consider that Take-2 Games have endorsed his comments!
You might have better luck reading the Take2 Privacy Notice here: https://www.take2games.com/privacy/, which provides the email address privacypolicy@take2games.com in many Sections. You will have better results protecting your privacy rights with a company by dealing with that companies' official pages.
From your Steam profile I believe you're a resident of the United Kingdom, and I encourage you to check out the helpful consumer pages of the Information Commisioner's Office. https://ico.org.uk/your-data-matters/. Also note that the UK has given assurance to the EU that GDPR compliance will be maintained after Brexit, so you should not lose any rights after April 2019.
And lastly, speaking as a Privacy professional, thank you very much for taking an interest in your personal data. Companies will not improve their behaviour solely on government legislation; it will also take consumer interest and action.
Sorry @SamBC
TBH I was mostly pissed off at 2K over Poundmaker more than the EULA. Indigenous rights is what interests me. GDPR is dull and mind numbing as hell.
Now you know why the game is such crap. It's just an excuse to spy on ppl lol
Thank you for the confirmation. I base the idea of legitimate interests being a key element on the guidance from the UK ICO, but performance of a contract is also important - and if you can use it, I understand that it is usually better than legitimate interests. The balancing of interests and the three-part test make legitimate interests inherently more risky.
On the other hand, a lot of the processing that game developers and publishers do isn't really related to performance of contract. Telemetry to determine what game settings people tend to use, whether they play scenarios, what civs people prefer to play - there's a legitimate interest in understanding how to make the game better, but it's not inherent in the contract existing between the parties. Indeed, it's arguable there is no contract between the parties, other than an EULA, as the contract of sale is between the purchaser and retailer.
With all due respect, performance of contract is "better", but not relevant in all situations.
There is a right to object - ICO advice is at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/ - and the right is absolute in the sense that you can always object (depending on the basis of the processing), but the objection is only absolutely required to be honoured in the case of direct marketing. For legitimate interests, public interest, public tasks and other categories, there's a right to object but the data controller can determine that they don't need to stop. Specifically relevant in this case is that the controller can determine that there is a compelling legitimate interest that overrides (strongly outweighs, basically) the individual freedoms (which you can then challenge with a regulator, of course).
There are potential problems with the Take-Two privacy notice, in my opinion, and it's right to talk about them. I agree that it's important that people take an interest in these things. Taking an interest means understanding things, though, and there's a widespread problem that people think data protection means requiring consent. In a huge range of cases, as you've described, it does not. If everyone goes around shouting "but what about consent", it distracts from the actual problems.
Yes of course there are multiple legal reasons as to why personal data may be handled; and a data controller has an obligation to comply with sharing such information should they be requested to do so - for example, as rightly pointed out, by banks or other financial institutions with credit reference agencies, also with certain agencies and authorities such as law enforcement when it is relating to a criminal background checks. Though such reasons do not normally (if at all ever) fall within the remit for a gaming developer/publisher. They may wish to collate and compile personal data for 'marketing purposes', but the latter would not suffice as a fundamental reason for storing an individuals finance/payment details beyond what I mentioned previously (minimal detail to record prior sales/purchases). In light of that, I'm simply trying to understand precisely how much financial/payment information is retained and for what reason(s) the company believes the necessity for doing so; otherwise it would be fair to make the case that retaining information of that nature could be excessive and outside the scope of legitimate interests - therefore requesting it be deleted.
I wasn't fully sure if Sam was employed or otherwise contracted by the company (hence why I was seeking clarification on the matter), though thank you for clearing that up for me!
I don't work directly in Privacy, but I do work in legal finance (as such, privacy regulation is a key topic we usually keep ourselves up to date with), but I did find it alarming that there is the possibility of, what I would consider excessive and in this case unreasonable, payment/financial information retained by the company without clearly outlining specifications. I would fully understand the necessity for retaining minimal records for their own legitimate business interests (such as sales recording), but with the absence of clarity regarding precisely how much information is really being stored without restorting to a subject access request, it certainly draws attention.
Of course, they may not know that, but it's worth giving it a chance.
They also can't charge money for it (except in limited circumstances largely around vexatious requests), one of the more important changes made by the GDPR in terms of how ordinary people interact with it.
GDPR requires privacy information that gives a general outline of what information they are processing and for what purpose. It doesn't require a detailed breakdown (though I personally feel it requires more detail than the Take-Two privacy information gives), short of actually asking for your data.
Nope, because one of the things you agree to when you sign the original was that it was subject to change. You can choose not to agree to the new one, but you aren't entitled to a refund.
Legitimate interests would be examples of:
- a company releases information to the Police or an alternative enforcement body upon request
- a bank or financial institution shares your information with credit reference agencies for anti-money laundering checks.
'Marketing and research' still requires expressed consent, which can be obtained by a pop-up window requiring any activity to symbolise acceptance, such as clicking "I agree" or "Ok" to close such a notification. Of course there are alternative ways to obtain such consent, but it is needed nonetheless.
I would disagree with this. Subject access requests are indeed formal and legal requests. It may not be an onerous task for a game developer/publisher owing to the fact the information related to an individual will be minimal compared to the likes of your local council.
Employees have been required to recognise such requests for several years now, with most undertaking an annual data protection mini exam where the answers must be 100% correct and no less. There is a 40 calender day period from the point where the request has been fulfilled and verification has been deemed satisfactory by the data controller to where the requested information must be delivered.
They have the right to charge a fee for a subject access request subject to where you live. For example, in the United Kingdom a fee of up to £10.00 can be requested for processing a SAR. The latter does not apply to public authorities however, in which case an FOI (Freedom of Information) request can usually be made free of charge. Public authorities however retain the right to impliment a variable fixed cost for the processing depending on the size of it.
As you will see, legitimate interests are much broader than the cases you outline, and include commercial interests.
The first example you give wouldn't be legitimate interests at all, but "legal obligation", as described at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legal-obligation/
Consent is not required for the legitimate interest basis, and indeed marketing (but not direct marketing, thanks to other requirements) can be a legitimate interest. As the ICO notes at the first link above,
Whether this case would count as marketing at all is another matter.
The right to charge a fee is out of date. That was removed by the GDPR (the former DP regime allowed it). For more information, see the ICO guidance at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/
Particularly, note the following:
There is no need for formal phrasing, no need to send it to a specific office. You just ask for your data and they are obliged to fulfil that request (subject to the various exemptions).
Oh, and as described at that link, the time limit is one calendar month starting on the day after the request was received - so 28, 30 or 31 days depending on what month it is.
Everybody in the EU - please make full use of GDPR to get justice for everybody who's privacy has been invaded.
Australians - its possible that we could argue that the insertion of this spyware invalidates the contract that we originally entered in to when we bought the software. Lets lodge complaints with the Consumer Affairs department in our respective states and demand refunds.