What are your rights? - GDPR Art. 15 "Right of access by the data subject"

  • Heyho,

    today I want to discuss and share with you a topic, that is really important to me. privacy.

    To be more specific, I wanted to know, what data Aeria Games and gamigo are collecting about me and how it is processed and used in their workflow.

    Luckyly for me, there is Art.15 of GDPR, which gives me the right, to demand lots of data from Aeria Games/gamigo.

    But as some might just know that this article exists, but not what you can do with it, I wanna introduce you to it and show you, what your rights as a person using a european companies services are.

    The following part might become a Wall of Text, so I will include a little tl;dr at the bottom. But I highly encourage you, to at least the next part about Article 15.

    Short note to who the GDPR applies to:

    - Every user of a service that is offered by a company or group that is located in the european union, it doesn't matter where the data is actually stored.

    - Every european citizen using any kind of service that is collecting person-related data. This service and the company can be located anywhere in the world.

    So let's go over Art. 15 it a little:

    It starts off with the following:

    1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

    Basically this article is only about individual-related data, that is being processed in any way. This includes basically anything that is being stored on their servers, like login requests, adresses, payment information. But also things you do in the game itself, like what you spend AP/PEN for, what items you have, which enchants you did. (Only of cause if they log that, which for the enchants they do for example).

    The second half of this sentence is stating, that you can request all the data the personal data and the following things about that:

    1. the purposes of the processing;
    2. the categories of personal data concerned;
    3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
    4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
    5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
    6. the right to lodge a complaint with a supervisory authority;
    7. where the personal data are not collected from the data subject, any available information as to their source;
    8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

    1. You can demand to know why they collect/process your data. (Examples: Items (having the account work), Payment Data (ease of buying AP), Loginbehaviour (Find shared accounts?))
    2. Some examples for categories: Location Data (GPS, IP Tracking), Behaviour (Loginbehaviour, What parts of the shop you look at the most), etc.
    3. Which groups of persons or companies do have access to your data? (Examples would be: Google Drive: as they used these forms a lot, EAC: Cause it's the hackshield S4 League uses)
    4. In most cases collected data has to be deleted at some point, either by time, or if an event happens, like when you delete your account)
    5. They have to inform you if you have a right for the data to be deleted or edited, or if you can constrain this data from being processed or in some cases that you even have the right of objection of that data being processed. (Maybe you can tell them not to log your Loginbehaviour for example)
    6. This is basically about you being able to lodge a complaint by some kind of supervisory authority. You might want todo that if you thing your data is not handled correctly.
    7. If data that is connected to you, that wan't produced by you (for example if you got some kind of items from an event), you should get all available information on where this data came from.
    8. This means that if automated processes analyze your behavior and data your produce - which is often used by sales teams to sell well selling items or check what items prople look at the most - you are allowed to be informed on what logic and scale these programs work and how the results of these affect you.

    You see, companies in europe have to be pretty transparent and you got a lot of rights regarding your data.

    But this isn't all, so let's move on.

    1. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

    If your data is being sent or stored on servers that aren't located in the same country the company is located in (Aeria Games and gamigo are both german), you have the right to be informed which safeguards protect your data. But this is mentioned in Article 46.

    1. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

    This is the part, which defines how you can request your data. But this is bound to some rules.

    So without any more contraints it is said, that the controller (so the one that is responsible for your data) has to provide a copy of your personal data, that is being processed, to you. This has to be free, so you don't have to pay anything for that.

    But it is said, that if you request it a second time, they can charge you a resonable fee. But if you dig deeper in that, you find this article: Recital 63 - Right of access*

    This basically sais, that you can request it in reasonable intervals. Other companies like Facebook, Google and Discord allow a copy of your data for free every 6 months. So I think it is reasonable for Aeria Games / gamigo too.

    The third sentence basically means, that if you send a request for a copy of your data by electronic, you have to use a commonly used electronic form. (So you can't send encrypted mails that they can't decrypt to trick them). If you send a ticket or an email in english or another supported language it should be enough.

    So you basically know what your rights are for this one article. So let me tell you some other things you might be interested in about this as an FAQ.

    How long does it take till I get the copy of my personal data?

    It is stated in GDPR Art.12 (3) that the controller has a to work on your request "without undue delay and [...] within one month of receipt of the request."

    There is a second sentence that states the following:

    "That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay."

    So they can infact extend the period by 2 months, but that is it. They have to inform you before the first month ended and give you the reason on why it had to be extended.

    How and in which form do I get my data?

    The way you get your data is not explicitly said, but it is stated, that if you requested the data electronicly, that you will receive it that way. In which form they send it to you and by what method is up to them, but I will in a second topic go over my experiences with Aeria Games and gamigo and show you how I got it.

    I highly encourage you to ask your questions here and I will answer them to my best knowledge!

    I really hope that you read what I wrote and that you now know a little more about your rights as a user of a european companies service are.

    If you want other articles explained like that, you can hit me up via a direct message and I see what I can do.

    For all the people that will discuss in this topic, please keep it on topic!


    Yeah, you thought that I would break it down nicely, but I won't! Fly over the text and read the sections I marked in bold font. This should give you an example about the Article and if you want to know more, read it completly.


    I actually did already request my data and it took around 2 and a half months. I will share that story in the following days, I just wanted to prepare you for that and help you, understand the frustration I had in these 2.5 months.

    Have a good day, stay safe and always have an open eye!

    -Leave a like if this helped you-

    EDIT #1: Thanks at Xane for dropping a question that in the end improved the quality and validity of this topic!


    Signature created by Void


    The post was edited 2 times, last by Portagoras: Updating the topic to improve quality and validity ().

  • Xane   Heiliger   Plank   Hella_Hell

    Actually I did see Xane s question about this.

    It took me a while to check all the laws that are involved with it, but in fact I was wrong up there.

    When you check the Art. 3 GDPR Territorial scope and what is related to it, it does say, that only the location of the company that is processing person-related data matters. (as long as this company is offering any kind of service that actually collectes person-related data)

    So in this case it affects everyone. That has an Aeria Games/ a gamigo Account or ever used any of their services (including visiting the website, if they track anything about visitors without account for example)

    I will correct this in my topic asap!!

    Thanks for bringing up that question, taught me a lot.

    Cya around.