LEGITIMATE INTEREST ASSESSMENTS
The present document aims at disclosing the Legitimate Interest Assessments carried out by Gameloft SE in relation to the operations encompassed within the Interactive Advertising Bureau (“IAB”) TCF Special Purpose 2 – “Deliver and present advertising and content” (Part I) and Special Purpose 3 – “Save and communicate privacy choices” (Part II).
PART I
LEGITIMATE INTEREST ASSESSMENT FOR SPECIAL PURPOSE 2 – DELIVER AND PRESENT ADVERTISING AND CONTENT
Gameloft SE carries out the present Legitimate Interest Assessment (LIA) with the intention to demonstrate the compliance and legitimacy of reliance on legitimate interest as a legal basis to perform the in-game contextual advertising operations encompassed within the Interactive Advertising Bureau (“IAB”) TCF Special Purpose 2 – “Deliver and present advertising and content”.
1- LEGITIMATE INTEREST IDENTIFICATION
Gameloft SE (“Gameloft”) is a French headquartered mobile game publishing company, operating internationally (through 18 entities located worldwide). Gameloft’s catalogue includes a wide-range variety of games, which are distributed via major distribution platforms and which may appeal to diverse and international audiences.
Gameloft has developed a renowned expertise in the digital advertising industry, and has constituted a network composed, amongst other parties, of advertisers, media agencies and programmatic vendors. Gameloft has developed its proprietary advertising solution and provides for advertising services to websites, applications and digital properties publishers (“Publisher(s)”) interested in monetizing the advertising inventory available within their digital properties, hence appointing Gameloft as an advertising sales representative.
Within the framework of providing for such services, Gameloft is registered as an IAB Europe Vendor 1198, relying on the technical specifications and on the IAB Europe Transparency & Consent Framework – Policies (version 2023-05-15.4.0 and upcoming versions, as applicable) (“IAB TCF v2.2 Policies”).
These services consist in the selection and serving of advertising content, either directly or programmatically, within Publishers’ digital properties. In other words, the selection and display of advertising content may be carried out in collaboration with advertisers and/or media agencies Gameloft has a direct relationship with (direct operations), or with intermediary platforms, such as supply-side platforms, enabling a wide-range variety of advertisers and media agencies to have access to an advertising space and to display their advertising content, based on a real-time bidding process (programmatic operations). Regardless of the method, digital advertising may also be divided in two main categories: targeted advertising (also referred to as “interest-based” or “behavioural” advertising) and contextual advertising (also referred to as “non interest-based” advertising).
-
Targeted advertising is a user-centered advertising method. It refers to the processes allowing advertisers and publishers to display advertising based on the observation of the users’ characteristics, their behaviour over time and their interests. Such observation is made possible through the collection and processing of users' personal data – such information being provided directly or indirectly by users, including where applicable their age, gender, location, user and/or device identifiers, advertising identifiers, data collected through their browsing activities and interactions with a content. In compliance with the applicable Data Protection regulations and with the IAB TCF v2.2 Policies, targeted advertising operations are carried out upon end-users’ prior, informed and express consent.
-
Contextual Advertising is a content-centred advertising method. It refers to the practice of displaying advertising based on the content of an application, a website, or of a digital property the end-user is visiting/using. This means that, unlike targeted advertising, the advertising is not based on user’s personal information, and is not tailored to the end-user’s precise location, age, interests or behaviour – but is based on a limited set of data (as described hereinafter) and on the editorial content of the digital property the advertising is displayed in. Carrying out contextual advertising, for instance, may translate into displaying an advertising for a car tires manufacturer in a racing game, or and advertising for running shoes in a sports-related application.
Unlike targeted advertising that cannot be displayed to users without their specific consent, Gameloft may participate in the selection and display of contextual (non-targeted) advertising to users without receiving their consent from the Publisher. To proceed so and with respect to the contextual advertising operations encompassed within the IAB (Interactive Advertising Bureau) TCF Special Purpose 2 – “Deliver and present advertising and content” (“Special Purpose 2”), Gameloft has identified legitimate interest as a suitable legal basis.
Such legal basis is expressly described as an available legal ground under Article 6(f) of the Regulation (EU) 2016/679 (General Data Protection Regulation – hereinafter referred to as “GDPR”). Pursuant to this Article, a processing of personal data “shall be lawful only if and to the extent that at least one of the following applies: (…) (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
-
2- NECESSITY ASSESSMENT
In the present section, we will demonstrate that, pursuant to Article 6(f) GDPR, the processing of end user’s personal data is “necessary for the purposes of the legitimate interests pursued by the controller” and that there is no less intrusive way to achieve the result contemplated herein.
As further detailed hereafter, while operating its advertising services to Publishers, Gameloft SE acts as a Controller of Publishers’ end-users’ personal data.
Is this a reasonable way to reach Gameloft’s objectives?
Could there be a less intrusive way to get the same result?
|
Publishers can ensure the monetization of their digital properties using various mechanisms, including by monetizing their advertising inventories. As an advertising sales representative, Gameloft is appointed to ensure the sale and to optimize the monetization of Publishers’ advertising inventories. As previously explained, such services may be provided based on targeted (interest-based) advertising operations, which are indisputably subject to Publishers’ end-users consent, as such methods involve the collection and processing of user’s device and/or advertising identifiers, which are obtained by reading and/or storing information on user’s devices. Such services may also be provided based on contextual advertising operations.
Gameloft is hereby assessing its reliance on legitimate interest as a lawful legal basis to perform contextual advertising operations pursuant to the IAB TCF Special Purpose 2, as the operations encompassed within such Special Purpose are necessary for Gameloft to ensure the provision of a minimum advertising service, that does not involve the consent-based collection and processing of user, device and/or advertising identifiers and of user’s personal information for consent-based purposes.
In this sense, in order to perform contextual advertising as per Special Purpose 2, Gameloft only has access to a limited set of data including:
- Limited ttechnical information about device capabilities (such as the screen size/resolution.) to ensure the technical compatibility of the advertising and to facilitate the transmission of the ad to the device (for instance, for the purpose of displaying the ads in a suitable format); -IP address, to detect the user’s coarse location (country/state level). This information is not processed at user-level (to target a specific user) but is used to ensure that the advertising is displayed in a suitable language and geographical context (for instance, an advertising for a French brand or service is suitable for an audience based in France, not in the USA).
The overall purpose is to technically support the advertising delivery system. Therefore, such method does not require to access to and to process any data that allows the direct and/or namely identification of a user, nor data that allows the indirect identification of a user or that provides insights on the individual’s preferences and online behaviors. In addition, the collection of the abovementioned information does not allow Gameloft to proceed to frequency capping and to click-fraud prevention operations, as these activities may be based on the collection of individual identifiers.
Therefore, with emphasis put on the fact that this method is centred on the Publisher’s editorial content, and not on user-related personal information, Gameloft considers that contextual advertising operations carried out as per Special Purpose 2 are “low privacy impact” and “low intrusion” advertising practices and data processing operations. |
Will this data processing actively further the overall interest? |
No, this collection and processing of data do not contribute to an overall interest per se. The purpose of this processing is for Gameloft to be able to provide for basic advertising services to the Publishers. |
-
-
3- BALANCING WITH INDIVIDUAL’S RIGHTS
-
As a Controller, Gameloft values Publishers’ end user’s privacy and fully understands its responsibility to protect the individual’s interests.
What is the relationship between Gameloft SE and the user?
|
Gameloft is in indirect relationship with the user. Indeed, in such instance, Publishers have a direct relationship with the end-users of their digital properties and are the controllers of the data collected and made accessible to Gameloft for the purposes of advertising selection and serving. Once enabled to receive and/or access to such data, Gameloft is acting as an independent controller – independently determining the means of processing and, to the extent Special Purpose 2 is concerned, determining the applicable legal basis for such processing operations.
Although its relation to the users is indirect, users are informed about the operations carried out by Gameloft as a controller through Publisher’s documentation and disclosures (including Privacy Policy and/or Consent Management Platform, referring to Gameloft’s privacy disclosures as applicable, in compliance with Article 14 GDPR). |
Is any of the data considered sensitive or special?
|
No – Gameloft does not collect, retrieves, nor otherwise prompts, encourages or requires Publishers to collect, process and otherwise make accessible to Gameloft any sensitive or special categories of personal data from and about end-users. |
Would the user reasonably expect Gameloft SE to use their data in this way?
|
Although its relation to the users is indirect, users are informed about the operations carried out by Gameloft as a controller through Publisher’s documentation and disclosures (including Privacy Policy and/or Consent Management Platform, referring to Gameloft’s privacy disclosures as applicable, in compliance with Article 14 GDPR). To this extent, users may reasonably expect Gameloft to use their data for advertising purposes. This expectation may be strengthened by Publisher’s own general disclosures about their digital properties’ monetization methods, as applicable. |
Could some users object and say the processing is too intrusive?
|
Substantially, to the extent a processing of personal data is at stake, it is understandable that an individual could express concerns regarding their privacy. For this simple reason, we cannot strictly reply “no” to this question.
However, as per GDPR and other Data Protection applicable regulations, users are entitled to request more information about the processing of their personal data. As a controller of the data it receives from Publisher (for Special Purpose 2, and for other purposes as applicable), Gameloft enables users to request information about Gameloft’s data processing and privacy practices, via email, mail and via dedicated Privacy Forms (accessible through its Privacy Policy and handled by its Customer Services and Privacy Teams). Specifically, Gameloft enables users to request information about the categories of data processed and the corresponding purposes, including with respect to the set of data handled for contextual advertising purposes. |
How will the data processing impact the individual?
|
As explained above, Gameloft considers that the impact of contextual advertising is very low, as the process does not rely on identifiable or sensitive data, or device/persistent identifiers, and as this process is not based on the user’s age, gender, past and detected behavior, researches, interactions with the app or other apps, preferences, etc. As previously stated, the only category of personal data involved is the user’s IP address, which is not collected to fetch user-level information or to target a specific user, but to enable the selection and serving and the technical delivery of an advertising that is relevant to a wide geographical area and in line with the language of the digital property’s content. Therefore, the core consequence of the processing of data based on legitimate interest is the display of contextual advertising within the Publisher’s digital properties (technical selection and delivery of content, exempt from frequency capping, click-based fraud prevention or similar tracking operations of any kind). Gameloft considers, from a vendor standpoint, that the possible impact is set to its minimum level. |
What safeguards can you put in place to minimize the impact?
|
Regarding user’s experience, the collection of a limited set of technical information about the device enables Gameloft to ensure that the contextual advertising is served in formats that minimizes the disruption of the browsing or usage experiences of user’s on Publishers’ digital properties.
Regarding data collection/access and processing operations, Gameloft’s Security standards and Data Breaches policies are applicable. In this sense, Gameloft has implemented technical and organizational measures to ensure the confidentiality, integrity and availability of the data, in transit and at rest. These measures apply to Gameloft’s servers, infrastructures, cloud storage instances and premises. In addition, Gameloft’s personnel undergoes privacy trainings and is subject to confidentiality rules and commitments. Gameloft also undertakes security and confidentiality commitments as part of its contractual relationship with each Publisher (including via Data Processing Agreements and EU Standard Contractual Clauses as applicable). |
Following the above balancing test, Gameloft is confident that the individual’s interests do not override the legitimate interests contemplated herein.
CONCLUSION. Following this Legitimate Interest Assessment, Gameloft confirms that:
-
Legitimate interest is the most appropriate legal basis for the processing of end users’ personal data for displaying contextual in-game advertising operations encompassed within the IAB (Interactive Advertising Bureau) TCF Special Purpose 2 – “Deliver and present advertising and content”.
-
In that sense, Gameloft confirms that the processing is necessary and that there is no less intrusive way or more relevant legal basis to achieve the same result.
-
Furthermore, Gameloft confirms that end users’ data are processed in ways they would reasonably expect or in ways they would find intrusive or which could cause them harm.
-
To the extent that Gameloft has not identified a significant privacy impact to this processing, it has not considered conducting a DPIA.
-
Gameloft undertakes to monitor this LIA on a regular basis and to update it, shall the circumstances, including but not limited to the data processing methods, security measures and regulatory obligations, be evolving.
PART II
LEGITIMATE INTEREST ASSESSMENT FOR SPECIAL PURPOSE 3 – SAVE AND COMMUNICATE PRIVACY CHOICES
Gameloft SE carries out the present Legitimate Interest Assessment (LIA) with the intention to demonstrate the compliance and legitimacy of reliance on legitimate interest as a legal basis for the purpose of Saving and communicating data subjects’ (end-users of Gameloft’s digital properties) privacy choices. This purpose may be furtherly described as “Special Purpose 3”, as a direct reference to the Interactive Advertising Bureau (“IAB”) Special Purpose 3 – Save and communicate privacy choices, as listed in the Transparency & Consent Framework Policies.
-
1- Legitimate interest identification
Gameloft SE (“Gameloft”) is a French headquartered mobile game publishing company, operating internationally. Gameloft’s catalogue includes a wide-range variety of games, which are distributed via major distribution platforms, and which may appeal to diverse and international audiences.
Gameloft has developed a renowned expertise in the digital advertising industry, and has constituted a network composed, amongst other parties, of advertisers, media agencies and programmatic vendors. Gameloft has developed its proprietary advertising solution and provides for advertising services to websites, applications and digital properties publishers (“Publisher(s)”) interested in monetizing the advertising inventory available within their digital properties, hence appointing Gameloft as an advertising sales representative.
For the purpose of providing for such services, Gameloft is registered as an IAB Europe Vendor 1198, relying on the technical specifications and on the IAB Europe Transparency & Consent Framework Policies (version 2024-06-3.5.0 and upcoming versions, as applicable).
These services consist in the selection and serving of advertising content, either directly or programmatically, within Publishers’ digital properties. The selection and display of advertising content may be carried out in collaboration with advertisers and/or media agencies Gameloft has direct relationships with (direct operations), or with intermediary platforms, such as supply-side platforms, enabling a wide-range variety of advertisers and media agencies to have access to an advertising space and to display their advertising content, based on a real-time bidding process (programmatic operations). Such operations may pertain to contextual advertising (advertising that is selected based on limited information and in relation to the nature and content of the Publisher’s property), and/or to targeted advertising (advertising that is selected based on a more complete set of data, contemplating the user’s supposed interests).
To carry out such advertising operations with Gameloft, Publishers implement methods to collect, record and disseminate users’ privacy choices, which can include their consent (acceptance or refusal) or their choice of opting out of operations based on Publisher’s and/or Vendors legitimate business interests. Saving and communicating users’ privacy choices involves the usage of IAB’s TC Strings, which are a recording of user’s privacy choices relying on an established technical and organizational framework called “Transparency and Consent Framework v2.2”. Such processing is performed for the purpose of ensuring and being able to demonstrate that users have consented to or not objected to the processing of their personal data, for various purposes and/or vendors, including the advertising operations carried out by Gameloft, as stated above.
In the context of operations based on Special Purpose 3 – , various interests may be identified as benefiting to Gameloft, and to the stakeholders Gameloft may involve in the performance of its operations:
1) As explained above, Publishers are responsible for collecting user’s privacy choices, which are encapsulated in the TC String. The TC String is a critical tool to ensure that user’s privacy choices can be recorded (i.e. the giving, refusing or withdrawing of consent by users and the exercise of their right to object) and communicated to Gameloft.
2) As a registered IAB Vendor, Gameloft receives unique (per user), accurate (detailed, up-to-date information) and inalterable TC String. The TC String includes granular information on user’s choice per purpose and per vendor. Gameloft has the capacity to retrieve the content of the TC String, and to acknowledge the user’s choices per applicable data processing purpose, which enables it to observe those choices while moving forward with the permitted advertising-related operations.
3) Gameloft has the capacity to forward this unique TC String to other participants of the advertising chain, including programmatic vendors and advertisers, as the case may be. This ensures that all the relevant stakeholders have access to the user’s privacy choices and are enabled to act accordingly, supporting the compliance with user’s choices across the advertising chain.
4) The processing of TC Strings is beneficial for Publisher, for Gameloft and for downstream participants, as it contributes to demonstrating compliance with the accountability principle pursuant to Article 5(2) of the GDPR.
5) In addition, the processing can support Data Protection Authorities in their investigations and audits of TCF participants, in particular to verify that users’ privacy choices are appropriately respected.
Gameloft identifies legitimate interest as a suitable legal basis to process the TC String. Such legal basis is expressly described as an available legal ground under Article 6(f) of the Regulation (EU) 2016/679 (General Data Protection Regulation – hereinafter referred to as “GDPR”). Pursuant to this Article, a processing of personal data “shall be lawful only if and to the extent that at least one of the following applies: (…) (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”. In addition, Gameloft hereby states that the above listed interests, in line with Recital 47 of the GDPR and also supported by Opinion 06/2014 of the Article 29 Working Party 2, may be considered to be legitimate.
-
2- necessity assessment
In the present section, Gameloft intends to demonstrate that, pursuant to Article 6(f) GDPR, the processing of the TC String, which may be considered as personal data, is “necessary for the purposes of the legitimate interests pursued by the controller” and that there is no less intrusive way to achieve the result contemplated herein. This involves stating that, while operating its advertising services to Publishers, Gameloft SE acts as a Controller of Publishers’ end-users’ personal data.
2.1 Is each element of the data processed necessary for the purpose and interest?
In the context of the processing of TC String, it is as a first step important to assess whether the information contained in the TC String is strictly necessary to achieve the intended purpose. In that respect, the TC String captures the following information:
-
General metadata: standard markers that indicate details about the Publisher’s implementation of the TCF (e.g. the ID of the CMP that is used, the language of the UIs, whether the UIs use non-standard texts, such as custom stacks or illustrations) and a day-level timestamp of when users have made/updated their choices.
-
The user’s consent per purpose and per vendor when the legal basis is Consent (“1” meaning user’s consent and “0” meaning user’s refusal or withdrawal of consent).
-
The user’s right-to-object per purpose and per vendor when the legal basis is Legitimate interest (“1” meaning the user was informed and “0” meaning the user was not informed or the user’s objection to processing)
-
Publisher restrictions: metadata specific to the publisher’s implementation of the TCF, e.g. indicating a general prohibition for certain vendors to pursue a given data processing purpose.
-
Where applicable, the user’s choices for purposes that are not covered by the TCF or for vendors that are not participating in the TCF (“1” meaning user’s agreement and “0” no agreement).
Accordingly, the TC String contains only information that is strictly necessary to achieve the intended purpose of saving, communicating and observing users’ privacy choices.
2.2 Is the operation (or set of operations) performed on the data necessary for the purpose and interests?
The processing of the TC String by Gameloft involves the following operations, which are all deemed strictly necessary to retrieve, acknowledge and record the user’s privacy choices, and to ensure that such choices are properly respected within the framework of the operations:
-
Retrieval of the TC String. Publishers send the TC String via a designated parameter in the server-to-server call. Publishers are responsible for transmission.
-
Verification that the TC String originates from a CMP participating in the Framework. To do so, Gameloft processes the TC String and reads the CMP ID within the string to ensure that it matches.
-
Verification that Gameloft has an established a legal basis, for each Purpose, to perform the advertising-related operations. Gameloft reads the full string to ensure that it has permission to process the TC String.
-
Disclosure/forwarding of the TC String to other participants and/or entities. The TC String is transmitted via agreed upon methods/locations with IAB vendors.
2.3 Are the periods of retention for the data justified?
The TC String is not stored or cached per se by Gameloft but only processed in real time when transmitted to Gameloft. TC Strings are erased once they have been read and processed accordingly for the relevant purpose.
However, TC Strings are stored by Gameloft’s consent management platform provider, for the duration necessary to fulfil the purposes for which it was collected, including legal requirements, enabling Gameloft to access to and further process the TC Strings as may be required in relation to its operations, including to demonstrate its compliance with data subjects’ choices within the framework of regulatory requests, or to address data subject’s requests.
-
3- balancing with individuals’ rights and interests
Gameloft acknowledges that the more sensitive the collected data is, the more it is likely to intrude on the data subjects’ interests, or to create risks to data subjects’ fundamental rights and freedoms, and therefore the more it weighs against legitimate interests. As a result, the nature of the personal data processed should be appropriately evaluated as part of the balancing test.
3.1 Nature of the collected and processed personal data
In the present case, the TC String is a string of characters that represent an abstract user’s privacy choices without directly attributing these to any specific user.
Indeed, the combined state of these various privacy choices is not unique, as millions of users visit digital properties on the same day and can express the exact same preferences. The number of choices a user can make is always limited, and the other attributes of a TC String constitute stable, low entropy metadata data laid out in a fixed order (e.g. the language in which the information was presented or the day where the user preferences were expressed/updated).
Finally, the TC String does not encapsulate any special categories of personal data or personal data relating to criminal convictions and offences. Indeed, even if the TC String can be used for recording user’s choices for purposes that are not covered by the TCF or for vendors that are not participating in the TCF, the TCF is not intended nor has it been designed to facilitate the lawful processing of special categories of personal data or data relating to criminal convictions, and should therefore never be used to engage in these more strictly regulated processing activities. The nature of the personal data in question is therefore not sensitive in any way.
3.2 Reasonable users’ expectations
The users of Publishers’ digital properties have access, in the various ways described hereafter, to information pertaining to the collection and processing of their privacy choices and are therefore enabled to expect and understand the implications of the processing.
-
This document, as well as the publicly available IAB EU Transparency and Consent Framework Policies include detailed information pertaining to the scope and implications of Special Purpose 3-related operations. This includes the following user-friendly purpose description, which may also be displayed to users within the Consent Management Platforms (CMPs) operated by the Publishers in their respective apps/websites or digital properties, along with the Publishers’ applicable policies and disclosures:
-
Special Purpose 3 – Save and communicate privacy choices
Description: The choices you make regarding the purposes and entities listed in this notice are saved and made available to those entities in the form of digital signals (such as a string of characters). This is necessary in order to enable both this service and those entities to respect such choices.
Illustration provided by IAB: When you visit a website and are offered a choice between consenting to the use of profiles for personalized advertising or not consenting, the choice you make is saved and made available to advertising providers, so that advertising presented to you respects that choice.
-
Information about where the TC String is stored and how long it is stored and processed is disclosed hereafter (and may be disclosed by Publishers in their own CMPs and policies): The TC String is read and processed in real-time once received. We don’t store the information once processed.
3.3 Likely impact
Gameloft hereby states, in line with IAB’s declarations, that the processing notably ensures that users’ privacy choices can be respected (i.e. the giving, refusing or withdrawing of consent by users and the exercise of their right to object) and that they do not have to make those choices again on each subsequent use of the relevant digital property. It is therefore evident that data subjects benefit positively from the processing first and foremost.
Gameloft recognizes the importance of identifying the likelihood of any risk that could materialize as a result of the processing, as well as the severity of its consequences. In the context of the Special Purpose 3, the TC String itself does not present any particular privacy risks for data subjects, as it merely reflects their privacy choices. It is moreover generally a service-specific and non-unique data point (as it is entirely possible that a multitude of users make the same choices on any given day - see “Nature of the personal data” above). It does not as a result introduce new vectors for cross-website tracking (such as fingerprinting). Additionally, Special Purpose 3 does not cover such processing activities, which are separately covered by Special Feature 2 and for which users are always given the choice to opt-in. Therefore, the processing does not entail any heightened privacy risks for data subjects; instead, it embodies the principle of data minimization.
3.4. Safeguards
3.4.1 IAB TCF-related safeguards
Gameloft’s operations as a registered IAB Vendor are reliant on the compliance with IAB EU TCF Policies, which set a technical, organizational and contractual framework structured around the protection of the integrity of the TC Strings. The IAB Europe regularly monitors TCF participants’ compliance with the Policies, - including to verify that TC Strings are created adequately to faithfully represent the privacy choices made by end-users in the CMP UIs, and are forwarded without any modification or falsification.
3.4.2 Safeguards implemented by Gameloft
In addition, Gameloft has implemented appropriate safeguards and protection in relation to the processing of the TC String. Such measures can include, but are not limited to:
-
Technical, administrative and physical safeguards for securing the data (e.g. the use of encryption technologies for storing the data);
-
Internal policies and procedures that document such measures or at least the type of safeguards to be implemented in any project, initiative or technical solution that relates to the collection and use of TC Strings as well as any use of data on the basis of privacy choices;
-
Equivalent external policies and procedures when working with a supplier;
-
Due diligence and audits performed internally and externally (e.g. assessment of partners to which you forward the data and live monitoring of your technical integration with them)
-
4- Compelling legitimate interest Demonstration
Where legitimate interests are relied upon as legal ground for processing, Art. 21 GDPR provides for the right for data subjects to object. However, that same article then states that “[t]he controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims”. In the context of the processing of TC String, Gameloft has identified and hereby intends to demonstrate that it may rely on a compelling legitimate interest to reject possible objection requests during a certain period of time after a TC String has been created and/or received.
As such, the necessity of processing TC Strings without giving the users the possibility to object is justified in the context of the controller’s required compliance with the accountability principle pursuant to GDPR Art. 5(2). Indeed, in practice, information must be stored in relation to users’ privacy choices in order to respect them, irrespective of which choices precisely the user makes, including their refusal of consent.
However, this limitation may be mitigated in several ways. For instance, users can always choose to delete any TC Strings saved on their own device if they so desire - and then receive another prompt the next time they visit the relevant digital property. In addition, this statement does not limit the users in their possibility to exercise the privacy rights that are made available to them under the Publishers’ policies and under Gameloft’s Privacy Policy.
Conclusion.
Following this Legitimate Interest Assessment, Gameloft confirms that:
-
Legitimate interest is the most appropriate legal basis for the processing of end users’ personal data (TC Strings) within the framework of IAB TCF Special Purpose 3 – “Save and communicate privacy choices”.
-
In that sense, Gameloft confirms that the processing is necessary and that there is no less intrusive way or more relevant legal basis to achieve the same result.
-
Furthermore, Gameloft confirms that end users’ data are processed in ways they would reasonably expect, and in ways they would not find intrusive or possibly harmful.
-
To the extent that Gameloft has not identified a significant privacy impact to this processing, it has not considered conducting a DPIA.
Gameloft undertakes to monitor this LIA on a regular basis and to update it, shall the circumstances, including but not limited to the data processing methods, security measures and regulatory obligations, be evolving.
***