How does GDPR affect player groups that collect information on their members

Olivia Vespera

Olivia Vespera
I was on a Discord that recently put up an announcement about GDPR and the data they collected from their members. It made me realise that maybe I should do this as well.

Be it in a spreadsheet, or a database. No player group doesn't collect data about their members.All of our favourite tools rely on the transfer of data. EDDB, EDSM, EDDiscovery, Inara, etc. But these are established websites.

How does GDPR affect informal playergroups like those that run PMFs?

I've currently written the following on my thread about the data I collect.
Olivia Vespera said:
Regarding GDPR

Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life.
Click to expand...
I feel it is best I state the following. I collect your data from the Order of Enblackenment Discord and this forum thread on a spreadsheet. I collect
  1. your Forum/cmdr name
  2. the commodity you haul
  3. and the quantity that you haul.
This is publically visible to anyone who has a link to the spreadsheet and may be copied by others. I use this data to produce statistics and fancy charts on how we're doing with regards to repairing Sturkow Port which function as a means to attract more people here.

The only person who has access to manipulate the spreadsheet is myself and CMDR Majaxx. I may add or remove others.
As a data subject... you have the right to

  1. Access your data.
  2. Erasure of your data.

I'm not sure what that means with regards to your totals, but I'll take it to mean removal of your forum/cmdr name from public view. If you want access to your data at any time you can ask me for it. (or just copy the sheet).
Click to expand...

Is this overkill?
What have you folks in player groups that collect data done?
What FrontierDev think we should do?

References:

Article 4 said:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Click to expand...

Recital 18 said:
This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
Click to expand...
 
Last edited:

Broon

Broon
After reading the supplied link I gleaned this....

Are you a business?

No. Forget about it.

Yes. Hire many new people and spend lots of cash to keep your asp in compliance.

That's the Cliff Notes version of it. Then again, I am not a lawyer.
 

Lightspeed

Lightspeed
According to the scope of the EU Legislation .....

This Regulation does not apply to the processing of personal data: .....

by a natural person in the course of a purely personal or household activity;

So it is a wider net when a 'natural person' (is this some kind of gender catch-all?) is collecting data other than for personal reasons.

So I think it is absolutely right that you ask FD for guidance on this, because it is going to affect everyone who does what you do, although to be honest, it looks like you have it well covered.
 

Olivia Vespera

Olivia Vespera
Lightspeed said:
According to the scope of the EU Legislation .....

This Regulation does not apply to the processing of personal data: .....

by a natural person in the course of a purely personal or household activity;

So it is a wider net when a 'natural person' (is this some kind of gender catch-all?) is collecting data other than for personal reasons.

So I think it is absolutely right that you ask FD for guidance on this, because it is going to affect everyone who does what you do, although to be honest, it looks like you have it well covered.
Click to expand...

Natural person differentiates it from companies which under law are considered "people".

Which article in GDPR did you read that from?
 

Flin

F
Not a lawyer, but your statements look ok.

Only suggestions are:
* google GDPR and Clubs (for additional tips)
* Make an additional note on Children ( as I believe there are special rules).
 

Olivia Vespera

Olivia Vespera
Lightspeed said:
Article 2 (2) Scope https://gdpr-info.eu/art-2-gdpr/
Click to expand...

Recital 18 seems to provide clarification.

https://gdpr-info.eu/recitals/no-18/

1This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. 2Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. 3However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
Click to expand...

It doesn't fully outline what personal activities are but includes a few examples like holding a list of addresses for personal correspondence, social networking. But whether engaging in an online game together applies? It's unclear.

What does personal activity mean?
 
Last edited:

MottiKhan

MottiKhan
I'm not familiar with EU regulations, but as far as data gleaned from the game, I find it hard to equate this with personal data. Nothing I do ingame reveals anything about the real me. It's a virtual identity that doesn't exist in reality and would therefore have no civil rights.

Game guy /= real guy.

Now, if they collected real personal information, it might get my dander up a bit.

Not much, but a bit. I'm not that interesting. Nobody here is.
 

crushdepth

C
Olivia Vespera said:
I was on a Discord that recently put up an announcement about GDPR and the data they collected from their members. It made me realise that maybe I should do this as well.

Be it in a spreadsheet, or a database. No player group doesn't collect data about their members.All of our favourite tools rely on the transfer of data. EDDB, EDSM, EDDiscovery, Inara, etc. But these are established websites.

How does GDPR affect informal playergroups like those that run PMFs?

I've currently written the following on my thread about the data I collect.


Is this overkill?
What have you folks in player groups that collect data done?
What FrontierDev think we should do?
Click to expand...

It's complete overkill, ignore it.
 

AveCandido

AveCandido
Olivia Vespera said:
I was on a Discord that recently put up an announcement about GDPR and the data they collected from their members. It made me realise that maybe I should do this as well.

Be it in a spreadsheet, or a database. No player group doesn't collect data about their members.All of our favourite tools rely on the transfer of data. EDDB, EDSM, EDDiscovery, Inara, etc. But these are established websites.

How does GDPR affect informal playergroups like those that run PMFs?

I've currently written the following on my thread about the data I collect.


Is this overkill?
What have you folks in player groups that collect data done?
What FrontierDev think we should do?
Click to expand...

The new data protection law of the European Community GDPR affects all those who use data from people or entities of citizens and / or companies of the EEC, Switzerland and United Kingdom, also affects companies that are outside these countries but meet information of said citizens

It simply forces you to have them safe not to use them to exchange with third parties or entities, and to indicate to your data protection agency that you take adequate protection measures.

There are three levels of obligation according to sensitivity criteria, maximum minimum average

Practical example: This forum of Frontier to own personal data, such as emails and telephone addresses where he lives, to be of general public access are considered low risk.

If we add banking data of any registered one, it would be considered maximum / average risk

Another example is a small press distribution office, which has registered its customers and their billing, is considered average risk / maximum

How does it affect a citizen that they have friends in their personal database, or a group of friends that create a forum or web page where those personal data are ... then consider the minimum risk if there are no banking and / or business data and they should only Take minimum measures of data protection.

In any case if you have public access or is a company or autonomous in the case of Spain, and I suppose that the rest is something similar, you must register that database, such as forum X and here are registered users and We have taken adequate measures for the GDPR, it does not involve any expense.

In your country ask your agency data protection, in any case the registration and communication is free. We always talk about personal cases and non-profit forums.

You must communicate to all your users that by application of the law they must give their consent to follow there is registered or otherwise you must unsubscribe them

In your personal case to be base personal data not public access you should not have any problem or sign up

In the case of: EDDB, EDSM, EDDiscovery, Inara, etc. They have the obligation to inform all their registrants of the compliance with the new data law, to protect them, to request informed consent to: remain registered, or be able to use their data as before. and not pass them on to third parties In addition to registering with the data protection agency of your country

In all cases, a user must be able to know what data you have and if he asks you to delete them, they are deleted
Also inform if these data are only for your own use and ask for express consent if you are going to give them to a third party
 

AnthorNet

AnthorNet
Even established, all 3 have added some privacy policy.

Small thing like you agree to them on sign up, and what we do.
Basically on EDSM the only thing we have that is personal are emails and IP, they are used by logs, analytics and login features.

We have to protect ourselves, because we also had some people complaining that we use the data to rule the game, yes that's true sadly...

You can find them here, it's mostly the same as EDDB, thanks to him for the model... https://www.edsm.net/en/faq/privacy-policy
 

Olivia Vespera

Olivia Vespera
MottiKhan said:
I'm not familiar with EU regulations, but as far as data gleaned from the game, I find it hard to equate this with personal data. Nothing I do ingame reveals anything about the real me. It's a virtual identity that doesn't exist in reality and would therefore have no civil rights.
Click to expand...

The way they've written the definition of personal data leaves it ambiguous...
GDPR said:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Click to expand...
In here it states that even a piece of information, like an online identifier or a name related to you is covered under personal data. If it can be used to identify you indirectly, it's considered personal data.
(Also do you own your CMDR name or is it licensed to you by Frontier Developments in the same way that Elite:dangerous in licensed to you to play.)

AveCandido said:
How does it affect a citizen that they have friends in their personal database, or a group of friends that create a forum or web page where those personal data are ... then consider the minimum risk if there are no banking and / or business data and they should only Take minimum measures of data protection.
Click to expand...
I am finding it really difficult to understand most of what you're saying. but I have questions mainly on this bit above. Recital 18 tries to give examples of what constitutes personal activity (which would be excluded from GDPR) but it only lists corresponding. what about doing player tracking, say for BGS purposes or in what we're doing, tracking hauls to repair a station?

AnthorNet said:
Even established, all 3 have added some privacy policy.

Small thing like you agree to them on sign up, and what we do.
Basically on EDSM the only thing we have that is personal are emails and IP, they are used by logs, analytics and login features.

We have to protect ourselves, because we also had some people complaining that we use the data to rule the game, yes that's true sadly...

You can find them here, it's mostly the same as EDDB, thanks to him for the model... https://www.edsm.net/en/faq/privacy-policy
Click to expand...

That's pretty sad. :(
What I meant was because you're established, there is no question that you have to follow GDPR and update/add a privacy policy. For us small-medium player groups? Where does it leave us? Should we also follow it or are we excluded from the regulations?
 
Last edited:

AveCandido

AveCandido
Olivia Vespera said:
I am finding it really difficult to understand most of what you're saying. but I have questions mainly on this bit above. Recital 18 tries to give examples of what constitutes personal activity (which would be excluded from GDPR) but it only lists corresponding. what about doing player tracking, say for BGS purposes or in what we're doing, tracking hauls to repair a station?
Click to expand...

Sorry my bad english
In this special case, the best answer should be given frontier, because you can have cases of: Registration of a real player nick in a game, or a player's record NPCs

If in a game registration is done in principle and with caution I would say that it does not affect the GDPR. There should not be any problems always in a game's data and it does not affect personal data

The question would be adequate to Frontier about this type of registration; of BGS and similar, since Frontier owns the rights of the game and his opinion would be more accurate
 

iFred

I
Username/Commander Name, Ip-Adress, Mail-Adress are personal data. Even a simple IP-Adress is personal data because "someone" can "easily" find out the connection between IP-adress and the person behind to a certain date.

Frontier is using AWS - next problem.

Providing data to 3rd party (Collection of username etc.) not allowed. But:

Their privacy regulations were updated a couple of days ago and basically it says "if you are not ok with it, dont use the services". Thats all they need. But they forgot Art. 17 and I have yet to see how they deal with the right to be deleted and how they enforce it to third party like the tools from the PvP-Guys.

I think we have to wait a couple of months until the one or other judge has decided how to deal with it.
 

AveCandido

AveCandido
iFred said:
Username/Commander Name, Ip-Adress, Mail-Adress are personal data. Even a simple IP-Adress is personal data because "someone" can "easily" find out the connection between IP-adress and the person behind to a certain date.

Frontier is using AWS - next problem.

Providing data to 3rd party (Collection of username etc.) not allowed. But:

Their privacy regulations were updated a couple of days ago and basically it says "if you are not ok with it, dont use the services". Thats all they need. But they forgot Art. 17 and I have yet to see how they deal with the right to be deleted and how they enforce it to third party like the tools from the PvP-Guys.

I think we have to wait a couple of months until the one or other judge has decided how to deal with it.
Click to expand...


I believe that Frontier does not provide personal data to players, only players who register with third parties who provide them.

Also almost certainly the frontier data transmissions in the Elite Dangerous Game are encrypted, with which you use a third party program is your responsibility not Frontier, INARA, EDSM etc etc are required to encrypt and protect your data and also encrypt communications. It is possible that the programs of third parties that communicate between player and INARA or EDSM etc etc, must be blocked and reprogrammed so that the transmission through the network, of this data is encrypted

Original:

Yo creo que Frontier no facilita datos personales a jugadores, solo los jugadores que se registran en terceros los que los facilitan

Ademas casi con toda seguridad las transmisiones de datos de frontier en el Juego Elite Dangerous estan encriptadas, con los cual que tu uses un programa de terceros es tu responsablidad no de Frontier, INARA, EDSM etc etc estan obligados a encriptar y proteger sus datos y ademas encriptar las comunicaciones. Es posible que los progrmas de terceros que se comunican entre jugador y INARA o EDSM etc etc, deban ser bloqueados y reprogrmadospara que la transmision por la red, de esos datos este encriptada
 

Ian Doncaster

Ian Doncaster
Olivia Vespera said:
All of our favourite tools rely on the transfer of data. EDDB, EDSM, EDDiscovery, Inara, etc. But these are established websites.

How does GDPR affect informal playergroups like those that run PMFs?

I've currently written the following on my thread about the data I collect.
Click to expand...
The thing to remember is that GDPR allows collection of personal data for the legitimate purposes of the organisation, if such collection is proportionate and balanced with the rights of the individual.

So if you're a player group, it's absolutely fine to collect reasonable personal data from your members (e.g. names, contact details) and use it to run the group. Collection of personal data in the "sensitive" categories would be a bad idea and hard to justify on grounds of proportionality - but you probably weren't doing that anyway. And as always you need to take reasonable precautions against losing the data.

Similarly something like EDSM has a purpose of providing a map of the ED galaxy (legitimate purposes), as well as providing individual services to people who sign up to it. (The individual services could be provided under the "performance of contract" justification instead - the contract being largely implicit, of course)

For the repair spreadsheet, you have a purpose of coordinating an online social event. You only display data people have given you for that purpose, the personal data you collect is minimal anyway, you don't use the personal data for other purposes, and if for some reason someone wanted it removing from the sheet you would. Nothing to worry about.


Broadly if you were previously handling personal data in a proportionate, respectful and secure fashion ... you will generally need to make token changes only for GDPR compliance. If you weren't, it's not the GDPR that's the problem ... but that's unlikely to be the case for informal stuff people are doing with player groups in Elite Dangerous.
 

Kayweg

Kayweg
iFred said:
Username/Commander Name, Ip-Adress, Mail-Adress are personal data. Even a simple IP-Adress is personal data because "someone" can "easily" find out the connection between IP-adress and the person behind to a certain date.

Frontier is using AWS - next problem.

Providing data to 3rd party (Collection of username etc.) not allowed. But:

Their privacy regulations were updated a couple of days ago and basically it says "if you are not ok with it, dont use the services". Thats all they need. But they forgot Art. 17 and I have yet to see how they deal with the right to be deleted and how they enforce it to third party like the tools from the PvP-Guys.

I think we have to wait a couple of months until the one or other judge has decided how to deal with it.
Click to expand...

As with any new legislation, and especially far reaching ones likes this, there will be a period of uncertainty, loopholes and disputes, which will lead to a number of court rulings to sort it all out.
I still have to try and wrap my head around it too, we probably all do.
And chances are, few of us will ever fully manage to. Pretty sure i won't.
 
You must log in or register to reply here.
Back
Top Bottom