EU Joint Controllership Agreement

Last updated: 6th Feb, 2023

1. Introduction

1.1 This EU Joint Controllership Agreement, including its Exhibits, (“EU JCA”) forms part of the GameAnalytics Terms and Conditions, available at https://gameanalytics.com/terms/, Purchase Orders or any other agreement about the delivery of the contracted services (the “Agreement”). This Agreement is between GameAnalytics ApS or its Affiliates (“GameAnalytics”, “we”, “us”) and the customer named in such Agreement or identified within GameAnalytics systems upon creating a GameAnalytics account (“Company”, “You”, “Your”). This EU Joint Controllership Agreement reflects the parties’ agreement about the Processing of Game Data, as those terms are defined below.

In the event of a conflict between the terms and conditions of this EU JCA and the Agreement, a Purchase Order, or any other documentation, the terms and conditions of this EU JCA shall prevail with respect to the subject matter of Processing of Game Data. This EU JCA shall be effective from the effective date of the Agreement, and survive termination or expiry of the Agreement.

1.2 All capitalized terms not defined herein shall have the meaning set forth in the Agreement and in the “Applicable Data Protection Law”.

• “Account” refers to Your Account for the Service, which You will receive when You create or sign up for a GameAnalytics account;
• “Affiliate” means, with respect to a Party, any entity that directly or indirectly controls, is controlled by, or is under common control with that party. For purposes of this EU JCA, “control” means an economic or voting interest of at least fifty percent (50%) or, in the absence of such economic or voting interest, the power to direct or cause the direction of the management and set the policies of such an entity.
• “Applicable Data Protection Law” means any applicable legislative or regulatory regime enacted by a recognized government, or governmental or administrative entity with the purpose of protecting the data protection and privacy rights of natural persons, in particular the EU General Data Protection Regulation 2016/679 (“GDPR”) and supplementing data protection laws of the European Union Member States, the United Kingdom’s Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”), the Swiss Federal Data Protection Act (“Swiss DPA”), Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) S.C. 2000, ch. 5, and any provincial legislation deemed substantially similar to PIPEDA under the procedures set forth therein, and the California Consumer Privacy Act (“CCPA”) of 2018, the Brazilian Law No. 13,709/2018 – Brazilian General Data Protection Law (“LGPD”), the ePrivacy Directive 2002/58/EC (the “Directive”), together with any European Union Member national implementing the Directive.
• “Documentation” means any accompanying proprietary documentation made available to You by GameAnalytics for use with the Service, including any documentation available online or otherwise;
• “Game” means a game or a group of games that are linked to an Account and use the same Tracking Code. A Game is owned by a “Game Developer” or “Game Studio”, a company specialized in the development of video games (“Company”); An “Organization” may own several Game Studios;
• “Game Data” means the information data concerning the characteristics and activities of Players that is collected through use of the Tracking Code and then forwarded to the Servers and analyzed by the Processing Software;
• “Party” means a party to this Agreement and shall be a reference to You or GameAnalytics, as the context requires and “Parties” shall mean both GameAnalytics and You collectively;
• “Personal Data” means any information relating to a “Data Subject”, defined herein as an identifiable natural person and is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
• “Player” means a user of Your Game;
• “Processing” or “Processing Activities” means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. For the avoidance of doubt: this includes processing of personal data to disclose, aggregate, pseudonymised, de-identify or anonymize Personal Data, and to combine personal data with other personal data, or to derive any data or information from such Personal Data.
• “Processing Software” means the proprietary GameAnalytics software and all upgrades to such, which is hosted by GameAnalytics on the Servers and which analyzes the Game Data and generates the reports relating to Games;
• “Servers” means the servers controlled by GameAnalytics (or its wholly owned subsidiaries) or a third party appointed by GameAnalytics upon which the Processing Software and Game Data are stored;
• “Service”: means the GameAnalytics Services as set forth in the Agreement, this EU JCA or associated GameAnalytics Purchase Orders;
• “Software” means the Tracking Code and the Processing Software, and all software used to access, view, or modify reports or access rights to GameAnalytics;
• “Standard Contractual Clauses” means: (i) where the GDPR applies the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the “UK IDTA or Addendum”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”)(the “Swiss SCCs“).
• “Terms and Conditions”, available at https://gameanalytics.com/terms/, are hereby incorporated by reference and represent the legal agreements between GameAnalytics and Company in relation to Service.
• “Tracking Code” means the proprietary GameAnalytics tracking code, which is provided by GameAnalytics and installed by You in a game for the purpose of collecting Game Data, together with any fixes, updates and upgrades provided to you (collectively, the “Tracking Code”).
• “You”: GameAnalytics provides its Service to You (either an individual or a legal entity that you represent as an authorized employee or agent) (“You” and the phrase “Your” shall be construed accordingly)

1.3 The Parties acknowledge and agree to the following: Company and GameAnalytics are Joint Controllers, as defined in Art. 26 GDPR, of Game Data, except for the case described in Section 1.5. This EU JCA determines the rights and obligations of the Controllers (hereinafter also referred to as “Parties”) for the joint processing of Personal Data. It applies to all activities of the Parties, or processors appointed by a Party, when processing Game Data. The Parties have jointly determined the purposes and means of processing Personal Data pursuant to Art. 26 GDPR.

1.4 GameAnalytics’ Tracking Code and the Processing Software processes Game Data. Depending on the section of processing, this data is processed within certain GameAnalytics game development and analytics resources, including but not limited to, various software applications, site profile services, game development analytics and game usage analytics. The Parties agree that Personal Data are processed under Joint Controllership for the provision of the Service.

1.5 For any other Processing Activities, where the Parties do not jointly determine the purposes and means of data processing, each contracting Party is an independent Data Controller pursuant to Article 4 (7) GDPR. As far as the contracting parties are Joint Controllers pursuant to Article 26 GDPR, it is agreed as follows:

2. Responsibilities

2.1 In the context of Joint Controllership, GameAnalytics is competent for the Processing of Personal Data in the Service operations. Service operations include collation of the Game Data and the publication of the Game Data in the Processing Software. The Processing may concern the following categories of data: GameAnalytics collects device-ID level data directly from the Player’s device. GameAnalytics collates Game Data from all the GameAnalytics Company’s Games in the Processing Software, which is hosted in GameAnalytics’ Amazon Web Services (AWS) and Google Cloud Platform (GCP) accounts.

2.1.1 The lawful basis for the processing of Personal Data for analytics and product improvement purposes is Legitimate Interest, pursuant to Article 6, para. 1, letter f) GDPR.

2.1.2 The lawful basis for the processing of Personal Data for advertising and marketing purposes is Consent, pursuant to Article 6, para. 1, letter a) GDPR.

2.2 In the context of Joint Controllership, Company will ensure that Company have provided adequate notices to data subjects (including without limitation all individual Players and other end-users), in each case, to the extent necessary for GameAnalytics to process their Personal Data in connection with this EU JCA and as described in the GameAnalytics’ Agreement.

2.3 In the context of Joint Controllership, Company will ensure that Company have obtained valid consents and permissions from data subjects (including without limitation all individual Players and other end-users), in each case, to the extent necessary for GameAnalytics to process their Personal Data in connection with this EU JCA and as described in the GameAnalytics’ Agreement.

2.4 Personal Data Processing activities may include, without limitation, the following:

• Customer will embed GameAnalytics’ Tracking Code in the Game. The Tracking Code will be installed in the Player’s device for the purpose of collecting Game Data;
• GameAnalyitics will carry out automated processing activities (including in-game profiling) through the Tracking Code;
• GameAnalyitics will process Game Data for analytics and mobile advertising purposes, in accordance with the Applicable Data Protection Law.

2.5 Company must not circumvent any privacy features (e.g., an opt-out) that are part of the Service and Company will not by act or omission, cause GameAnalytics to violate any Data Protection Laws, notices provided to, or consents obtained from, Data Subjects as result of processing Personal Data in connection with the Service and this EU JCA.

2.6 GameAnalytics may, by use of a random sample and in its sole discretion, check whether Companies have implemented any Applicable Data Protection Law requirements (“Privacy Audit”). Game non-compliance will be regarded as a material breach of this EU JCA and the Agreement. Under such circumstances, the Agreement may be terminated by GameAnalytics at any time, however, Company will be provided a reasonable notice to remediate any non compliance.

2.7 If Company is selected for a Privacy Audit and GameAnalytics determines that Company’s Processing Activities violate any Applicable Data Protection Laws, GameAnalytics shall provide a term of 30 days for Company to remediate, before blacklisting Company’s Game without further notice. At the end of the above 30 days term, GameAnalytics shall check in with Company to assess if appropriate measures have been implemented.

2.8 The Game Data collected by GameAnalytics may without limitation be used for the purposes of software development and for analytical purposes. GameAnalytics shall have the right to use all data collected during the Service or otherwise pursuant to this Agreement (i) to perform its obligations and enforce its rights under this Agreement, (ii) to operate and improve its Service, (iii) for analytics and general reporting or research purposes, notably as part of the Service enhancement, and (iv) for marketing and targeted advertising purposes. You grant to GameAnalytics a worldwide, perpetual, irrevocable, non-transferable, non-exclusive, royalty-free license to use any such data for the purposes set forth herein.

2.9 For all other uses of Game Data by GameAnalytics and/or Company, Parties will be considered as independent Data Controllers.

3. Compliance and obligations

3.1 Each party shall ensure compliance with the Applicable Data Protection Law, particularly in regards to the lawfulness of data processing under joint controllership. The parties shall take all necessary technical and organizational measures to ensure that the rights of data subjects, in particular those pursuant to Articles 12 to 22 GDPR, are guaranteed at all times within the statutory time limits.

3.2 The Parties shall store personal data in a structured, commonly used, and machine-readable format.

3.3 Company shall ensure that only personal data which is strictly necessary for the legitimate conduct of the process are collected and for which the purposes and means of processing are specified by international or national laws, including without limitations the Applicable Data Protection Law. Moreover, both contracting parties agree to observe the principle of data minimisation within the meaning of Article 5 (1) lit. c) GDPR.

3.4 If a Data Protection Impact Assessment pursuant to Article 35 GDPR (DPIA) is required, the Parties shall support each other. Upon the Company’s request, GameAnalytics will, to the extent required by Applicable Data Protection Laws, assist the Company in carrying out the DPIA, and prior consultations with supervisory authorities, concerning the Service. Company shall reimburse GameAnalytics for reasonable costs for such assistance in accordance with applicable fees for professional services under the Agreement. Such costs and fees shall be reasonable with consideration taken to the time and resources required from GameAnalytics. Obligations within the meaning of Article 5 (2) GDPR, relating to data Processing activities, shall be documented and archived by each Party beyond the end of this Agreement, in accordance with legal provisions.

4. Data Subject Rights

4.1 Company commits itself to provide the Data Subject with any information referred to in Articles 13 and 14 of the GDPR in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. The information shall be provided free of charge. The Parties agree that GameAnalytics will support Company in providing the information on the processing of Personal Data for the purposes set forth herein. The Data Subject may exercise his or her rights under Articles 15 to 22 GDPR against each of the Joint Controllers.

4.2 Company shall provide the data subject access according to Article 15 of the GDPR.

4.3 Where the data subject requests access according to Article 15 GDPR, GameAnalytics shall support Company, in order to provide this information.

4.4 If necessary, the parties shall provide each other with the necessary information from their respective operating range. Competent point of contact for GameAnalytics is:

– GameAnalytics DPO: privacy@gameanalytics.com.

– Company: contact information provided upon creating a GameAnalytics Account.

Each party must immediately inform the other of any change of the point of contact.

4.5 If a Data Subject exercises his or her rights against GameAnalytics, in particular of the rights of access, correction, or deletion of his or her personal data, GameAnalytics is obliged to forward this request to Company without undue delay. This applies irrespective of the general obligation to guarantee the right of data subjects. The party receiving the request must provide the information within its operating range to the requesting party promptly, giving reasonable time to fulfill the request within the time frame established by Applicable Data Protection Law.

4.6 If Personal Data is to be deleted, the Parties shall inform each other in advance, giving reasonable time to fulfill the request within the time frame established by Applicable Data Protection Laws. A Party may object to the deletion for a legitimate interest, including but not limited to any legal obligations to retain the Game Data set for deletion.

4.7 The parties shall inform each other immediately if they notice errors or infringements regarding data protection provisions during the examination of the processing activities.

4.8 Company undertakes to communicate the essential content of the Joint Controllership arrangement to the Data Subjects (Article 26 (2) GDPR).

4.9 Each Party must notify the other Party without undue delay and in no less than 24 hours after becoming aware of a Personal Data breach. The Party that experienced the breach is obliged to inform the competent Supervisory Authority and any Data Subjects affected by a violation of the protection of Personal Data in accordance with Articles 33 and 34 GDPR and other Applicable Data Protection Laws. The Parties shall inform each other about any such notification to the Supervisory Authority without undue delay. The Parties also agree to forward the information required for the notification to one another without undue delay.

GameAnalytics services and products are designed to meet the highest safety standards in supporting children-friendly mobile apps and technologies, with a special focus on data security and privacy rights, in accordance with the applicable privacy laws, including GDPR, COPPA, and the UK Children’s code. If Your Game targets children or kids as defined by the Applicable Privacy Law, You must notify Us without undue delay at privacy@gameanalytics.com.

5. Security and Confidentiality

5.1 Within their operating range, the parties shall ensure that all employees authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in accordance with Articles 28 (3), 29, and 32 GDPR for the duration of their employment, as well as after termination of their employment. The parties shall also ensure that they observe the data secrecy provisions prior to taking up their duties and are familiarized with the data protection legislation and rules relevant to them.

5.2 The parties shall independently ensure that they are able to comply with all existing storage obligations with regard to the Game Data. For this purpose, they must implement appropriate technical and organizational measures (Article 32 et seq. GDPR). This applies particularly in the case of termination of the cooperation/Agreement.

5.3 The implementation, default-setting, and operation of the systems shall be carried out in compliance with the requirements of the GDPR and other regulations. In particular, compliance with the principles of data protection by design and data protection by default will be achieved through the implementation of appropriate technological and organizational measures corresponding to the state of the art.

5.4 The parties agree to store Game Data which are processed on the Processing Software, which is hosted in GameAnalytics’ Amazon Web Services (AWS) and Google Cloud Platform (GCP) accounts, in the course of the Services on specially protected servers.

5.5 In the context of Clause 5.4, Amazon Web Services (AWS), Google Cloud Platform (GCP) and Imply Data, Inc. are GameAnalytics’ processors within the meaning of Article 28 GDPR. Each Party undertakes to conclude a contract pursuant to Article 28 GDPR with regard to the processing of the personal data for which each Party is responsible.

5.6 The parties commit themselves to conclude a contract in accordance with Article 28 GDPR when engaging processors within the scope of this agreement (see 1. Introduction).

5.7 The Parties shall inform each other in a timely manner of any intended change with regard to the involvement or replacement of subcontracted processors. The Parties shall only commission subcontractors who meet the requirements of the Applicable Data Protection Law and the provisions of this EU JCA. Services which the contracting Parties use from third parties to support the execution of the Agreement, such as telecommunications services and maintenance, shall not be seen as services provided by subcontractors within the meaning of this EU JCA. However, the Parties are obligated to make appropriate contractual agreements in accordance with the law and to take controlling measures to guarantee the protection and security of personal data, even in the case of additional third party services.

5.8 Only processors who are subject to the legal obligation to appoint a Data Protection Officer shall be commissioned to perform services in connection with the Agreement.

5.9 The Parties shall include the processing operations in the records of processing activities pursuant to Article 30 (1) GDPR, in particular, with a comment on the nature of the processing operation as one of joint or sole responsibility.

5.10 Retention requirements

GameAnalytics retains the Game Data collected through the Service for up to 18 months. Information is automatically purged from GameAnalytics systems upon the expiration of the retention requirements listed in Table 1. Note that any other information in GameAnalytics systems will be retained for as long as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Data description	Retention requirements
Player Warehouse	1 year
Player Lookups – for annotated data to calculate game retention	18 months
Raw and annotated data	1 month

Table 1: Retention requirements

6. Information sharing or disclosure

6.1 In the event that we contract with a third party to provide some parts of the Service that You have requested or to assist us in analyzing our Service or information collected about You and/or Your customers, GameAnalytics may provide Your information and/or Your customers’ information to such third party, or such third party may collect information from You or Your customers on our behalf. We may share Your information and Game Data with our Affiliates for industry analysis and statistical purposes. When permitted by Applicable Data Protection Law, we may provide Game Data to our Affiliates, business partners, advertisers or other trusted entities for the purpose of targeted advertising. When permitted by Applicable Data Protection Law, we may also provide Your information to our Affiliates, business partners, advertisers or other trusted entities for the purpose of providing You with information on goods and services we believe will be of interest to You.

6.2 We will disclose any information about You to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate to respond to claims and legal process (including but not limited to subpoenas), to protect the property and rights of GameAnalytics or any third party, to protect the safety of the public or any person, or to prevent or stop activity we may consider to be, or to pose a risk of being, illegal, unethical or legally actionable.

6.3 In addition, we may disclose information about You or Your customers to third parties in connection with a corporate reorganization, merger or amalgamation, or the sale of all or substantially all of our assets.

6.4 Finally, we may aggregate and anonymize information collected by the Services or via other means so that the information does not identify You or Your customers. Our use and disclosure of aggregated, anonymized, and otherwise non-identifiable information is not subject to any restrictions under this Agreement, and we may disclose it to others without limitation for any purpose, including with game developers, advertisers, publishers, business partners, sponsors, and other third parties.

7. International transfer

7.1 Both Parties shall not process any Game Data (nor permit any Game Data to be processed) in a territory outside of the European Economic Area (“EEA”), the United Kingdom (“UK”), or Switzerland unless it has taken such measures as are necessary to ensure the transfer is in compliance with Data Protection Laws. Such measures may include (without limitation) transferring the Game Data: to a recipient in a country that the European Commission, UK Information Commissioner’s Office (“ICO”), Swiss Federal Data Protection and Information Commissioner and/or other competent authority (each, a “Competent Authority”), as applicable, has decided provides adequate protection for Personal Data; to a recipient that has achieved binding corporate rules authorization in accordance with Data Protection Laws; to a recipient that has executed standard contractual clauses adopted or approved by a Competent Authority (“Standard Contractual Clauses”); or to a recipient that meets such other standard of adequacy as may be recognized under Applicable Data Protection Laws from time to time.

7.2 Furthermore, Company and GameAnalytics shall enter into Module 1 of the EU Standard Contractual Clauses (“EU SCCs”) incorporated herein by reference as Exhibit A to allow Game Data to be transferred in accordance with Applicable Data Protection Law. For transfers of Personal Data from the UK (such data, “UK Personal Data”) outside of the UK or any country approved by the ICO as providing adequate protection for UK Personal Data, then: (i) the EU SCCs shall also apply to transfers of UK Personal Data; and (ii) the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) shall be deemed executed by the Parties and the SCCs between the parties shall be deemed amended as specified in the UK Addendum. Both Parties shall fully cooperate in conducting any related data privacy assessments, questionnaires, or similar diligence as may be necessary from time to time in connection with any such international transfers.

8. Liability

Notwithstanding the provisions of the Agreement, the Parties shall be liable for damages resulting from processing that fails to comply with the GDPR or other Applicable Data Protection Laws. In external relations they are jointly liable to the data subjects concerned, but shall be entitled to claim back from the other party compensation as set forth in Art. 82 (5) GDPR.

In the internal relationship the Parties are liable, notwithstanding the provisions of this contract, only for damages which have arisen within their operating range.