GDPR

Overview

The GDPR service helps you ensure your game’s compliance with the General Data Protection Regulation (GDPR) of the EU as well as the California Consumer Privacy Act (CCPA) of the state of California in the United States. These laws dictate how you and your users can use and manage the user’s personal data. Below you’ll find two tables that list each right guaranteed by these laws, and which AccelByte service is related to that right.

GDPR

Individual RightRelated ServiceRemarks
The Right to Restrict ProcessingUAMThe Right to Restrict Processing allows users to prevent their personal data from being used. Compliance with this right is ensured by giving each player the option to deactivate their account at any time.
The Right to RectificationUAM, Event LogThe Right to Rectification allows users to make changes to any personal data stored within the UAM Service. It also requires the platform to be able to inform players of any changes made to that data. We use the event log service and mailer service to inform players about those changes.
The Right to ObjectLegalThe Legal Service acts as a gatekeeper that allows players to object to how the platform uses their data by requiring them to agree to your terms and conditions before they can access the platform.
The Right to ErasureGDPRThe GDPR service functions as an automated service that schedules deletion of user data across services when a user requests it.
The Right to Data PortabilityGDPRThe GDPR service ensures that user data collected across services is readable and potentially usable by different external services.
The Right to be InformedLegalThe Legal service allows you to provide players with information related to how the platform works and what personal data it collects from them.
The Right to AccessGDPRThe GDPR service functions as an automated service that schedules collection of user data across services when a user requests it.
Rights in Relation to Automated Decision Making and ProfilingEvent Log, Telemetry, AnalyticsTelemetry and Analytics are configurable to ensure that users can opt-in or opt-out of the data collection process performed by those services.

CCPA

Individual RightRelated ServiceRemarks
Rights to NoticeLegalThe Legal service allows you to provide players with information related to how the platform works and what personal data it collects from them.
Rights to KnowGDPRThe GDPR service functions as an automated service that schedules collection of user data across services when a user requests it.
Rights to Data PortabilityGDPRThe GDPR service ensures that user data collected across services is readable and potentially usable by different external services.
Rights to DeletionGDPRThe GDPR service functions as an automated service that schedules deletion of user data across services when a user requests it.
Rights to Opt-OutN/AAccelByte doesn’t sell consumer data, so we don’t support this by default. It is your responsibility to ensure adherence to this regulation.
Rights to Opt-In for Children’s Personal InformationN/AAccelByte doesn’t sell consumer data, so we don’t support this by default. It is your responsibility to ensure adherence to this regulation.
Notify Consumers of Their RightsLegalThe Legal service allows you to provide players with information related to their rights under CCPA.

How It Works

The two most basic rights users have to their data are the right to access that data and the right to delete it. The sequence diagrams below show how these requests are handled by our services.

Right of Access

Users can request access to their personal data either through the user platform, or manually. A personal data request should be processed within 28 days.

Personal Data Retrieval Process

The chart below shows the different statuses a personal data request may move through, and for how long the request can be processed before it expires or is removed from the queue.

gdpr-overview

Request Status

  • Pending The request is waiting to be processed.
  • In-progress The request process has been started.
  • Retrying If the request fails it will be automatically retried. The request will be retried a maximum of three times by default.
  • Failed The request will be marked as Failed if the third retry is not successful. Both the user and the admin will be notified of this failure, so that they can re-submit the request either from the user portal or admin portal.
  • Expired This status only occurs if there is a problem with the related services. If a request expires, the user or admin will have to make a new request.
  • Removed from queue After 56 days, any remaining requests are automatically removed to optimize the service.

Successful Personal Data Request

gdpr-overview

Canceled Personal Data Request

gdpr-overview

Failed Personal Data Request

gdpr-overview

Right to Erasure

Users can request their personal data be deleted either through the user platform, or manually. The request should be processed within 28 days.

Personal Data Deletion Process

The chart below shows the different statuses a data deletion request may move through, and for how long the request can be processed before it fails.

gdpr-overview

Request Status

  • Request This status indicates that the request has just been made but the user’s access token has not been revoked yet.
  • Pending This status indicates that the user’s access token has already been revoked. The deletion request can still be canceled until the expiry date of the request.
  • In Progress After the request has expired, the scheduler will begin the deletion process for the user’s account.
  • Failed If the deletion process fails, the admin will be notified via email. The admin can then re-request the account be deleted, which will change the request’s status back to pending.

Successful Data Deletion By User

gdpr-overview

Canceled Data Deletion By User

gdpr-overview

Data Deletion by Admin on Behalf of User

gdpr-overview

Deletion Process After Request Expiration

gdpr-overview

Retry Process for Failed Request

gdpr-overview