MTG Corporate Website Privacy Policy

Welcome to our Privacy Policy which contains information on how we process personal data when you visit our website, communicate, or otherwise interact with us in the cases described below. If you have any questions regarding our use of your personal data, please feel free to contact us over the channels provided below.

When we refer to “you” in this Privacy Policy, we refer to you as data subject (see Section II. below for more details on what this means). If you are interacting with us on behalf of others, please make sure all affected people receive the information stated in this Privacy Policy.

I. Who Are We?

If we speak of “MTG”, “we” or “us” in this Privacy Policy, we refer to ourselves as controller as defined below. Our contact details are:

Modern Times Group MTG AB
Skeppsbron 18, Box 2094,
111 30 Stockholm, Sweden
Tel: +46 8 562 000 50

If you have any questions regarding this Privacy Policy, data protection or if you want to exercise your rights mentioned in Section IV., you can at any time contact our Data Protection Officer. His contact details are:

Dr. Matthias Walker
c/o Modern Times Group MTG AB
Skeppsbron 18, Box 2094,
111 30 Stockholm, Sweden
E-Mail: privacy@mtg.com

II. Meaning of Terms

The meaning of certain terms we use in this Privacy Policy is defined by the General Data Protection Regulation (“GDPR”). When we refer to the GDPR we are referring to the General Data Protection Regulation of the UK as well, unless we otherwise specify that we are referring to only one of them.

All definitions set out in Art. 4 GDPR apply to this Privacy Policy. We’d like to explicitly mention the meanings of the following terms to make transparent what the often-used terms personal data, data subject, processing, controller and processor mean according to the GDPR:

  • ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
III. Legal Basis

As a controller we need a legal basis to process your data lawfully, according to Art. 6 para. 1 GDPR. If

  • you have given your consent to the processing of your personal data for one or more specific purposes, this forms a legal basis according to Art. 6 para. 1 let. a) GDPR;
  • the processing is necessary for the performance of a contract between you and us or in order to take steps at your request prior to entering into a contract, the legal basis for this is Art. 6 para. 1 let. b) GDPR;
  • the processing is necessary for compliance with a legal obligation that applies to us, the legal basis for this is Art. 6 para. 1 let. c) GDPR
  • the processing is necessary to protect our legitimate interests or legitimate interests of a third party and such legitimate interests are not outweighed by your interests or fundamental rights and freedoms, the legal basis for this is Art. 6 para. 1 let. f) GDPR.
IV. Your Rights

Under the GDPR you have certain rights concerning the processing of personal data by us. According to the GDPR you have the following rights:

  • Right of information: You have the right to be provided information regarding the processing of your personal data by us, in accordance with Art. 13 and 14 GDPR.
  • Right of access: You have the right to obtain confirmation as to whether we are processing your personal data and, if this should be the case, access to the personal data, in accordance with Art. 15 GDPR.
  • Right to rectification: You have the right to obtain rectification of inaccurate or incomplete personal data concerning you, in accordance with Art. 16 GDPR.
  • Right to erasure (“right to be forgotten”): Under certain circumstances you have the right to obtain the erasure of personal data concerning you, in accordance with Art. 17 GDPR.
  • Right to restriction: Under certain circumstances you have the right to obtain the restriction of processing, in accordance with Art. 18 GDPR.
  • Right to data portability: Under certain circumstances you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and the right to transmit this data to another controller, in accordance with Art. 20 GDPR.
  • Right to object: Under certain circumstances you have the right to object to the processing of personal data concerning you, in accordance with Art. 21 GDPR. This includes but is not limited to the right to object in cases in which we process your personal data on the legal basis of Art. 6 para. 1 let. f) GDPR.
  • Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of the EU of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR, as set out in Art. 77 GDPR.The supervisory authority primarily responsible for handling complaints regarding data processing carried out by us is Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm, Sweden, imy@imy.se.
  • Right to withdraw consent: If a processing of your personal data is based on your consent as set out in Art. 6 para. 1 let. a) GDPR or Art. 9 para. 2 let. a) GDPR, you have the right to withdraw your consent at any time, in accordance with Art. 7 para. 3 GDPR. Such withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
  • Right to not be subject to a decision based solely on automated processing: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, as set out in Art. 22 para 1 GDPR.
V. Recipients / Categories of Recipients

The personal data we process can also be either processed by other parties on our behalf and according to our instructions by processors or shared with and processed by other controllers. When data is processed according to this Privacy Policy, it is principally done so by our employees and freelancers commissioned by us that are responsible for the specific matter the data is required for.

The following list gives you an overview of the main providers of tools and services we use and who might be a recipient of your data:

Providers of office tools

Microsoft Enterprise Service Privacy
Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052 USA

and

Microsoft Ireland Operations, Ltd.
One Microsoft Place
South County Business Park
Leopardstown
Dublin 18, D18 P521, Ireland (both together “Microsoft”)

and

Slack Technologies, Inc., 500 Howard Street, San Francisco, CA 94105
USA (“Slack”)

Data protection management tool

OneTrust Technology Limited
82 St. John Street
Farringdon, London EC1M 4JN United Kingdom (“OneTrust”)

Press release tool

Cision Sverige AB
Box 24194, 104 51, Stockholm
Sweden
(“Cision”)

Provider of data management systems and IT services

EVRY Sweden AB
Ekensbergsvägen 113
171 41 Solna Sweden
(„Tietoevry“)

Providers of streaming services

Svenska Financial Hearings AB
Brunnsgatan 21b, 111 56 Stockholm
Sweden

> Privacy Policy
(„Financial Hearings“)

 

Vimeo.com, Inc.
Attention: Data Protection Officer
330 West 34th Street, 5th Floor
New York, New York 10001
> Privacy Policy
(“Vimeo”)

Some of these recipients are established outside of the European Union. Principally, there are two possible safeguards we rely on when these recipients receive personal data of yours, to make sure an adequate level of protection for your data is provided:

  • If a recipient is located in a country for which the European Commission has found it provides an adequate level of data protection, we rely on such adequacy decision by the EU Commission.
  • If a recipient is not located in a country with an adequate level of data protection according to the European Commission, we either have concluded a contract with this recipient in which we agree on rules to make sure the recipient takes adequate care of your personal data (EU Standard Contractual Clauses developed by the European Commission) or we rely on binding corporate rules of a group of undertakings or enterprises that have been approved by a supervisory authority.

Apart from the main possible recipients mentioned above, the following categories of recipients can receive personal data from us, only if necessary for the specific case: financial and IT services; host providers; providers of data rooms for M&A transactions; potential buyers or sellers of an M&A transaction; external financial and legal advisors and auditors; courts or governmental authorities that legally legitimately oblige us (e.g., through subpoenas, court orders, governmental requests or search warrants) to disclose data; providers for streaming live events.

You can find details on which recipients and categories of recipients are involved in the processing of personal data under Section VI.

VI. General Data Processing

In the following we’d like to inform you about how we process your personal data. These are the general processing activities that can apply when you interact with us. Every processing activity is broken down into 5 parts:

(a.) What: What data is processed?
(b.) Why: For what purpose is the data processed?
(c.) Who: With whom do we share the data?
(d.) Legal Basis: What law allows us to process the data?
(e.) How Long: How long do we keep the data?

1. Communicating With You
  1. What
    If we communicate with you via email or mail, we process all personal data you disclose to us during our conversation (e.g., you name, email address, the reason why you are contacting us etc.).Apart from this, it is also possible that we use other online messaging systems to communicate with you, if you wish to contact us over these channels. Please note that if you wish to contact us via such messaging systems, it is possible that the respective companies that offer these communication services may also process your personal data and that regarding this their privacy policies apply. We have no influence over such data processing by third parties. For further information on how these services process your personal data, please view their privacy policies.
  2. Why
    Depending on the specific conversation with you, the personal data can either be processed in order to take steps at your request prior to entering into a contract with us or to perform a contract you have concluded with us. Also, the processing can be necessary for us to comply with legal documentation obligations. Apart from this, the processing can also be necessary for the purposes of our legitimate interest to respond to mails and calls of yours when you contact us and are not our contractual partner as well as to have proof regarding substantial content of our conversation, including but not limited to cases of potential legal claims on our or your side.
  3. Who
    Depending on the specific case, recipients of the processed personal can be our providers of office tools.
  4. Legal Basis
    The legal basis for processing the personal data in order to take steps at your request prior to entering into a contract with us or to perform a contract you have concluded with us is Art. 6 para. 1 let. b) GDPR.The legal basis for processing the data for compliance with our legal obligations is Art. 6 para. 1 let. c) GDPR.The legal basis for processing the data due to our legitimate interest is Art. 6 para. 1 let. f) GDPR.
  5. How long
    The data is stored at least for the time until our contract with you is fully performed. If the data has been stored in order to take steps at your request prior to entering into a contract with us, we will store the data for as long as reasons objectively exist to believe that the respective conversation will be continued within the foreseeable future. Apart from this, your data can be stored according to statutory storage periods, should such laws apply to the respective data as well as the applicable limitation period, so that we can sufficiently defend ourselves against claims.
2. Visiting Our Website
  1. What
    When you visit our website, we process your IP-address.
  2. Why
    We process this data to display the website correctly in your browser. This is a legitimate interest of ours.
  3. Who
    Recipients of the processed personal data can be our IT service providers and host providers.
  4. Legal Basis
    The legal basis for processing the data is Art. 6 para. 1 let. f) GDPR.
  5. How long
    The data is only processed during your visit of our website and not stored in log files.
3. Press Release Subscription
  1. What
    You can choose to receive our news and company information via email. To send you the press releases and reports we process your email address and your selection of content you wish to receive, as well as the information regarding whether you have opened the email we sent you and, if this is the case, the time it was opened.
  2. Why
    The purpose of processing the personal data is to keep you updated on our business developments, products, and services via email according to your preferences to receive the information, and to better understand what was of interest to you or not.
  3. Who
    Recipient of the processed personal data is the provider of our press release tool.
  4. Legal Basis
    The legal basis for processing your personal data is your declaration of consent, in accordance with Art. 6 para. 1 let. a) GDPR.
  5. How long
    Your personal data will be stored for as long as you do not withdraw your consent. You can at any time withdraw your consent with effect for the future by using the unsubscribe link at the bottom of the email you received from us, or by contacting communications@mtg.com.
4. Data Subject Requests
  1. What
    When you contact us to make use of your data subject rights (see above), we process your name, email address and any additional information you provide us in your request as well as personal data to verify your identity as legitimate data subject, if needed.We might also process your personal data when you contact another company of the MTG group which is an affiliate company of ours (“MTG Company”) with such a request if the company reaches out to us for legal advice regarding the matter.
  2. Why
    The personal data of your request is processed for the purpose of answering your request as well as the purpose of proving our compliance with the GDPR by helping you as data subject exercise your rights set out in the GDPR. This is also a legitimate interest of ours.If we process additional data of yours to verify your identity, this is done to prevent cases of fraud committed by using false identities which is a legitimate interest of ours.If we receive your personal data from an MTG Company, we process your personal to help the company respond properly by giving it legal advice. As parent company, we work closely together with all MTG Companies and support them to ensure their compliance as well as a group-wide compliance with applicable laws. This is a legitimate interest of ours and all MTG Companies.
  3. Who
    Depending on the specific case, recipients of the processed personal data can be the provider of our data protection management tool, our providers of office tools, and external legal advisors.
  4. Legal Basis
    The legal basis for processing the data of your request is Art. 6 para. 1 let. c) in connection with Art. 12 GDPR as well as Art. 6 para let. f) GDPR.The legal basis for verifying your identity is Art. 6 para. 1 let. f) GDPR.If we receive your personal data from an MTG Company, the legal basis for receiving and processing the data is Art. 6 para. 1 let. f) GDPR.
  5. How long
    The data is stored for three years starting with the end of the year in which you made your request, so we and/or the respective MTG Company are able to prove our compliance and defend ourselves against any potential claims within the general statute of limitations in Sweden for claims by consumers.
5. Legal Work
  1. What
    We work together with MTG Companies and external advisors to assess and manage legal matters. If a matter, or dispute between you and us or between you and an MTG Company (see definition in Section VI.4.a) requires relevant legal review, we and, if necessary, the relevant MTG Company, process the data relevant to the matter or dispute. In particular, this may include your name, e-mail address and contact details.It is possible that MTG Companies seek legal support from us as their mother company in legal matters. In such case we might receive personal data of yours from the respective MTG Company and process the personal data required to grant it legal report.If we would receive from authorized courts or governmental authorities a legally legitimate and binding obligation to disclose data (e.g., through subpoenas, court orders, governmental requests or search warrants), we would comply with such.
  2. Why
    The purpose of the processing of the data by us and – if applicable – the involved MTG Company is the effective and uniform handling of legal matters. This is a legitimate interest of ours and the involved MTG Company. In addition, the data processing may serve to conclude and perform contracts with you.As a parent company, we also have a legitimate interest in supporting MTG Companies with legal matters to safeguard our business interest of us, the respective MTG Company and the entire MTG Group.In case of legally legitimate and binding obligations by authorized courts or governmental authorities we would have a legal obligation to comply.
  3. Who
    Recipients of the processed personal data can be our providers of office tools as well as external legal advisors and auditors. We can receive your personal data from an MTG Company if it seeks our support in which case the same recipients can apply.In case of legally legitimate and binding obligations by authorized courts or governmental authorities such courts or authorities would be the recipients of the data.
  4. Legal Basis
    If the data processing concerns the conclusion or performance of a contract with you, the legal basis of the data processing is Art. 6 para. 1 let. b) GDPR.If the data processing is based on a legitimate interest, the legal basis is Art. 6 para. 1 let. f) GDPR.In case of legally legitimate and binding obligations by authorized courts or governmental authorities the legal basis for disclosing data would be Art. 6 para. 1 let. c) GDPR in connection with the respective laws that state the legal binding effect of the obligation.
  5. How long
    The storage period for data processed for the purpose of handling legal matters, disputes or complying with legal obligations is governed by the relevant limitation period, so that we can sufficiently defend ourselves against claims, or by the relevant legal obligations to retain documents.
6. Job Applications
  1. What
    We process personal data you provide when applying for a job or to work together with us as a freelancer (e.g., your name, date of birth, address, data included in your cover letter or CV etc.).
  2. Why
    The data is processed to decide if a contract with you will be concluded or, if you already have a contract with us, to perform our obligations, or terminate the contract.Your data will be stored if we have decided to not hire you, or if your employment with us has ended so we are able to defend ourselves against potential claims based on § 64 Diskrimineringslag in connection with § 10 Lag om medbestämmande i arbetslivet. This is a legitimate interest of ours.
  3. Who
    Recipients of the processed personal data can be our providers of office tools and external HR consultants.
  4. Legal Basis
    The legal basis for processing your personal data when you are applying and during your employment is Art. 6 para. 1 let. b) GDPR.The legal basis for processing your personal data if we have decided to not hire you, or if your employment with us has ended, is Art. 6 para. 1 let. f) GDPR.
  5. How long
    If we work together with you, your data is stored for the applicable statutory storage periods, in general this is ten years starting at the end of the year in which your contract has ended (criteria derived from the general statute of limitations of Sweden). Should we not decide to hire you, we will delete your application after two years starting with the decision of non-employment, so we are able to defend ourselves against potential claims based on § 64 Diskrimineringslag in connection with § 10 Lag om medbestämmande i arbetslivet.
7. Cookies, Website Analytics & Consent Management

We use cookies on our website. To make it easy for you to inform yourself about these and to grant or withdraw a potentially necessary consent of yours or object to a processing based on a legitimate interest of ours, we have implemented a consent management platform. You can at any time open the consent management platform by clicking the “CUSTOMIZE COOKIES” link at the bottom of our website. In the consent management platform and in our Cookie Policy, you will find all information on what data is processed, who the recipient is, the purpose, legal basis and storage period.

You can at any time of course also contact us via privacy@mtg.com if you want to declare your withdrawal or objection to us processing your personal data

8. No Automated Decision-Making

We do not process your data with means of automated decision-making (e.g., profiling).

9. Cybersecurity & Unsolicited Communications
  1. What
    In certain cases, we process your email address for cybersecurity reasons and/or for blocking unsolicited communications.
  2. Why
    The data is processed to block potential malicious communications and secure our IT systems if we have reason to believe that communications you send us pose a potential threat to our IT systems, and/or to block unsolicited communications you send us to protect our employees from content that negatively impacts their work and/or well-being.
  3. Who
    Recipients of the processed personal data can be our providers of office tools and our provider of data management systems and IT services.
  4. Legal Basis
    The legal basis for processing your personal data for cybersecurity purposes and for blocking unsolicited communications is Art. 6 para. 1 let. f) GDPR.
  5. How long
    We store your personal data for as long as we objectively have reason to believe that your communications pose a potential threat to our IT systems, and/or that you will send us further unsolicited communications.
10. Livestreams
  1. What
    Public Livestreams: You can sign up to receive an invitation for livestreams we offer, such as MTG’s quarterly results or our Capital Markets events, by signing up to our press release distribution. By signing up, we process obligatory data, such as your email address, name, and the name of the company you work for, and possibly optional data, such as your phone number.

    Internal Livestreams: If you are an employee or freelancer working for MTG or a Group Company, you can join internal livestreams we offer, such as All-Hands, or other global company events. To send you and invite and let you join the livestream we process your name and business email address.When you participate in a Public or Internal Livestream, the username you chose could be displayed to other participants, as well as your image and spoken word, depending on your settings. If you choose to ask a question or make a comment during the livestream or in the chat of a livestream, we process any personal data you might disclose by doing this.

    Public and Internal Livestreams can be recorded and uploaded to a video streaming platform to make the video available for people who weren’t able to attend the livestream.

  2. Why
    When you sign up to attend one of our live streams, we need to process the personal data to send you details on how to join the stream, to adequately prepare for the stream, and to, if needed, internally debrief regarding the success of the stream, e.g., which topics were of interest to which viewers and how we can improve our livestreams in the future.Data that is visible to other participants (username) or that you disclose during a livestream is processed by us to offer a functioning livestream and participation features.As a participant of a livestream, you can choose whether you want to have your image and spoken word displayed in the livestream. Please note that livestreams can be recorded and uploaded to video streaming platforms for people that aren’t able to attend the livestream. If you do not wish to be recorded, please let us know beforehand. In such case you will unfortunately not be able to join the livestream since we have no technical solution to exclude individual attendees from recording.
  3. Who
    The Recipients of the processed personal data vary from event to event. While we usually use our provider of office tools for group-internal livestreams (Microsoft), this can also be the case for public livestreams. Depending on the type of livestream, we may choose to use a different company for streaming the event.Internal Livestreams that are recorded can be stored on Microsoft Teams or Vimeo.Public Livestreams that are recorded can be stored on Vimeo or Financial Hearings.
  4. Legal Basis
    The legal basis for processing your personal data is Art. 6 para. 1 let. f) GDPR.
  5. How long
    Participant lists for our Capital Markets event are stored for a maximum period of one year.If a livestream is streamed and recorded via Financial Hearings, the video is stored and accessible for 3 years. Livestreams recorded via Microsoft Teams are deleted within a week after the stream has taken place.Internal Livestreams recorded and made accessible via Vimeo will be deleted after 3 months after having been made accessible.

    Should we use a different company for streaming an event, we will consider that the data used to participate in the livestream is not stored by that provider for longer than necessary.

VII. Group Cooperations – General Information

Together with our gaming studios we form a group of undertakings. We cooperate closely with the gaming studios of the group (each a “Group Company”) to learn from one another, help each other and improve how the group makes games. We like to see ourselves as a small gaming village in which we strive together to make great games.

The following Group Companies are part of our gaming village:

Hutch Games Ltd

2nd Floor Scrutton Street,
London, England, EC2A 4HH
UK

Privacy Policy

InnoGames GmbH

Friesenstraße 13
20097 Hamburg
Germany

Privacy Policy

Kongregate Inc

10680 Treena Street, Suite 155
San Diego, CA 92131
USA

Privacy Policy

Ninja Kiwi Limited

17 Shamrock Drive,
Kumeu, 0810
New Zealand

Privacy Policy

Ninja Kiwi Europe Limited

Unit 13, Vision Building, 20 Greenmarket, Dundee
DD1 4QB
United Kingdom

Privacy Policy

PlaySimple Games Private Limited India

Second Floor, Anjaneya Techno Park No. 147,
Kodihalli, HAL Old Airport Rd,
Bangalore – 560008
India

Privacy Policy

Playsimple Games Pte Ltd

30 Cecile Street
#19-08, Prudential Tower
Singapore, 049712

Privacy Policy

VIII. Group Cooperations – Joint Controllerships

What does joint controllership mean?

In some cases when we cooperate with a Group Company we jointly determine if and how certain personal data of yours is processed. In such a case the involved companies each are controllers of your data when doing so and the working relationship is called a joint controllership. We have concluded an agreement with all Group Companies in which the rules for our joint controllership are set out and which also includes so called standard contractual clauses that ensure that personal data of people located in the European Union (or European Economic Area) is adequately safeguarded when transferred between us and a Group Company that is not established in the European Union or a country considered to have the same level of data protection as the European Union.

In the following cases we and Group Companies are joint controllers of your personal data:

1. Mergers & Acquisitions
  1. What
    The Group Companies and we can support each other when buying or selling a company. In such cases a strictly limited number of personnel involved in such a transaction can receive access to personal data (e.g., names, email addresses, unique identifiers) included in relevant documentation shared by a potential seller or determine which personal data is shared with a potential buyer and how this shall be done. Principally, personal data is anonymized before it is disclosed and, should it be necessary to disclose personal data, such disclosure of personal data will be kept to a minimum.
  2. Why
    The purpose of such a cooperation is to review relevant material shared with us by a potential seller, so we and/or the involved Group Companies can make good business decisions, or to enable a potential buyer to do so when sharing such data with it. This is a legitimate interest of ours, the involved Group Companies, and the potential sellers or buyers.
  3. Who
    Recipients of the processed personal data can be our providers of office tools, providers of data rooms as well as external financial and legal advisors, involved Group Companies, and the potential buyer. We can receive your personal data from a Group Company, or a potential seller in which case the same recipients can apply.
  4. Legal Basis
    The legal basis for processing your personal data is Art. 6 para. 1 let. f) GDPR.
  5. How long
    The storage period for data processed for the purpose of handling legal matters or disputes is governed by the relevant limitation period, so that we can sufficiently defend ourselves against claims, and by relevant legal obligations to retain documents. If a transaction has been successful, we might be obliged to store the respective personal data according to the applicable statutory provisions, in which case we will store the documents according to the retention periods stated in such provisions. Personal data that is no longer relevant if a transaction has not been successfully made, will be deleted if it is not relevant for another purpose under this Privacy Policy.
2. Business Intelligence
  1. What
    We process a limited amount of pseudonymous data Group Companies share with us to get a better understanding of how you play our games and what you like about them, so we can help our Group Companies improve them. This includes a group-internal unique identifier, game title, time of install, platform, country code per install, marketing channel/category and marketing campaign, browser information, engagement with the game (log-in sessions), amount of money spent in the game, and how effective a marketing campaign was.
  2. Why
    A better understanding of how you play games of Group Companies and what you like about them helps us and the Group Companies make them better and improve how these are marketed. As parent company, it is essential for us that we can understand how games of the Group Companies are played and how effective the marketing efforts are to ensure that enough players enjoy our group’s games so we all can keep making them. This interest is shared by the Group Company whose game you are playing as well as the other Group Companies since they are part of our gaming village.
  3. Who
    Recipients of the data are Tietoevry and Microsoft who help us administer and manage the data. We receive the data from the Group Company whose game you are playing and do not share the data with other Group Companies.
  4. Legal Basis
    The legal basis for processing your personal data is Art. 6 para. 1 let. f) GDPR.
  5. How long
    The data is stored for as long as you are an active player of the game of our Group Company. Your data will be deleted or anonymized once you either have deleted your data (e.g., account) by requesting this from the Group Company (e.g., in the game) or after a certain time of inactivity from playing the game, which depends on the date of your last time you played the game. Please check out the privacy policy of the Group Company whose game you are playing for details on the retention period for data of inactive players.
3. Data Protection Compliance Work
  1. What
    We support the Group Companies with their data protection compliance work. Together with them, we can jointly process personal data of yours required to ensure compliance with data protection laws, e.g., names, email addresses, usernames, unique identifiers (e.g., game-ID players). E.g., this can be the case when you reach out to a Group Company with a data protection request, and the Group Company seeks our support to respond adequately and in time.
  2. Why
    We want to be able to offer you a high level of data protection when you play our group’s games. To ensure that Group Companies comply with relevant data protection laws we offer them our support. This is a legitimate interest of ours, yours, and all Group Companies.
  3. Who
    Recipients of the processed personal data can be our providers of office tools and OneTrust.
  4. Legal Basis
    The legal basis for processing your personal data is Art. 6 para. 1 let. c) GDPR in connection with Artt. 12, 30, 35 GDPR and Art. 6 para. 1 let. f) GDPR.
  5. How long
    The data will be stored for the duration that the Group Company you are contacting needs to be able to prove that it is complying with data protection laws. During this time, we will only access your request if we need to support the Group Company with your request or if we need to provide proof of our compliance work (e.g., to a data protection authority). Please check out the privacy policy of the Group Company whose game you are playing for details on the retention period for data protection requests.

Who can you contact?

When we process your personal data, you have certain rights under the GDPR, which you can find in Section IV. of this Privacy Policy. If you have questions regarding the joint controllerships or want to make use of your data protection rights, you can contact us anytime by using the contact address mentioned in Section I. of this Privacy Policy.

How is your data secured?

We have implemented technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing in accordance with Art. 24 and 32 GDPR.

What happens in a case of a personal data breach?

In case of a personal data breach under the GDPR and if this breach is likely to result in a risk to your rights and freedoms, we will, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority.

Should such breach likely result in a high risk for your rights and freedoms, we, or – where required by article 34 GDPR –, we, or the respective Group Company will inform you about the personal data breach without undue delay.

IX. Group Cooperations – Independent Controllerships

Apart from cases in which we jointly process personal data, we cooperate with other Group Companies as independent controllers of your personal data in the following cases:

1. Developing or Distributing Games
  1. What
    We can support Group Companies when they are developing or distributing their games (e.g., consulting regarding game features or functionalities). In the process of this it is possible that certain personal data of players of the games might be disclosed to us, such as names, email addresses, usernames, or unique identifiers. Such personal data will not be actively stored or used by us for such support.
  2. Why
    Since we and the Group Companies are part of the same group and we are their parent company, we all share the legitimate interest of developing and distributing great games. To be able to do this we work closely together.
  3. Who
    Recipients of the processed personal data can be our providers of office tools.
  4. Legal Basis
    The legal basis for processing your personal data is Art. 6 para. 1 let. f) GDPR.
  5. How long
    The personal data is stored by the Group Company whose game you are playing according to its applicable retention periods (e.g., the retention period for your account data). Please check out the privacy policy of the Group Company whose game you are playing for details.
2. Legal Support
  1. What
    We can support Group Companies with legal guidance regarding legal complaints, claims, court proceedings or other legal matters they might be facing. In such cases we might receive personal data (e.g., names and contact details of plaintiffs or complainants) of persons involved in such legal matters from the Group Company we are supporting.
  2. Why
    Since we and the Group Companies are part of the same group and we are their parent company, we all share the legitimate interest of effectively handling legal complaints, claims, court proceedings or other legal matters we might be facing. To be able to do this, we work closely together.
  3. Who
    Recipients of the processed personal data can be our providers of office tools.
  4. Legal Basis
    The legal basis for processing your personal data is Art. 6 para. 1 let. f) GDPR.
  5. How long
    The data will be retained according to legal obligations (e.g., employment laws) or our legitimate interest of defending ourselves or the respective Group Company against legal claims.
3. Freelancer & Outsourcing
  1. What
    If you are a freelancer providing services to a Group Company, it can share certain personal data of yours with us, e.g., names and contact details.
  2. Why
    Since we and the Group Companies are part of the same group and we are their parent company, we all share the legitimate interest of effectively handling budgets and ensuring an effective project management which can make it necessary for the Group Companies to share with us information on the freelancers with whom they work with.
  3. Who
    Recipients of the processed personal data can be our providers of office tools.
  4. Legal Basis
    The legal basis for processing your personal data is Art. 6 para. 1 let. f) GDPR.
  5. How long
    The personal data will be stored at least for the term of the contract you have with the Group Company and, if required by bookkeeping laws, for as long as it is necessary to retain documentation on financial transactions connected to your work.

Last Updated: November 6, 2023