ROVIO RESEARCH PRIVACY NOTICE

Last updated: January 16, 2020

This notice explains how Rovio Entertainment Corporation (referred to as “we” in this notice) collects, stores, uses, or otherwise processes the personal data of participants or potential participants in our voluntary game testing and user research activities (referred to as “you” in this notice), and what rights you have if we are processing your personal data.

It is important that you read this notice before participating in our game testing or user research activities (collectively “Research”) so that you are aware of how and why we may use data relating to you. Please note that this notice applies to Research that we mainly conduct outside of the Services (including our games, mobile applications, other products, and websites) covered by the Rovio Services Privacy Notice. We may also conduct surveys or other research in our Services. Those activities are subject to the Rovio Services Privacy Notice.

1    Data controller

By “data controller”, we mean an entity that determines how and why personal data is processed. With regard to the Research, we are the data controller. Our company name is Rovio Entertainment Corporation. Our address is Keilaranta 7, FI-02150 Espoo, Finland.

In some cases, we may propose that a third-party service (for example, video communications service) be used to facilitate the Research. We may also have a third party carry out activities that support our Research (for example, search for research participants or analyze research results). In these scenarios, the third party may be the data controller of any data they collect about you. For more information, please review the third party’s privacy policies.

2    Contact information

In matters related to this notice, you can reach us by email at privacy@rovio.com.

We have also designated a Data Protection Officer (“DPO”) to oversee our data protection related matters. If you have any questions or concerns about the way we use your data, you may contact our DPO by email at dpo@rovio.com.

3    Why do we process your data and on what basis?

With your consent, we may process your data:

  • to conduct playtesting, surveys, interviews, or other research related to our games,
  • to understand how players experience games, including how they feel to play, what kinds of emotions they evoke, and the reactions they create,
  • to develop or improve our current or future games, other products and services, or the Research itself,
  • to remember that you are interested in participating in our Research in the future, if you have indicated to us that you are,
  • to communicate with you about our Research, or
  • for other purposes explained to you when we ask for your consent.

When we process your data based on consent, we will ask your parent or guardian for consent if you are unable to give consent yourself due to your age or other reasons, as determined by applicable laws and regulations.

Based on our legitimate interest to find participants for our Research, we may process your data to determine whether you might be interested in participating in our Research and ask whether you wish to participate in a specific Research. Based on our legitimate interest to understand our users as a whole, we may process your data to create data that is not identifiable to you (for example, aggregate data), which we may then freely use for our Research.

We may also process your data:

  • to establish, exercise, or defend our legal rights based on our legitimate interest to safeguard our operations,
  • as necessary to comply with legal obligations which we believe apply to us, or
  • as necessary to protect your vital interests or the vital interests of another person.

In addition, we may process your data for additional purposes which are compatible with any of the purposes listed above.

We do not use your data to make automated decisions which significantly affect you. By an “automated decision”, we mean a decision made by an information system without any human intervention.

4    What data do we process?

We may process the following data relating to you:

  • your name, phone number, email address, or other contact information we may use to communicate with you about the Research,
  • information about your background (for example, age, gender, or country),
  • your communications with us (for example, emails we exchange with you regarding the Research),
  • if you participate in Research that is recorded, recordings of your gameplay, communications (for example, voice or text communications with other participants), or reactions to gameplay (for example, facial expressions or body movements),
  • any information you submit during Research (for example, information on your interests and preferences), including your comments, feedback, and survey responses,
  • if you play our games, your in-game alias, player ID (which is an identifier we assign to each of our players), or other online identifier and data relating to your game activity, and
  • other information we notify you about before your participation in the Research.

We do not expect or intend to collect or otherwise process any special categories of data relating to you. By special categories of data, we mean genetic, biometric or health information, information revealing racial or ethnic origin, sex life or sexual orientation, political opinions, religious or philosophical beliefs or trade union membership, or information about your criminal offences or convictions. Please do not provide this kind of information to us in connection with the Research.

5    Where do we collect your data from?

Mainly, we collect your data directly from you in the course of the Research. This includes both data you submit to us (for example, your comments, feedback, or survey responses) and data you provide by participating in the Research (for example, recordings of your gameplay during Research). Data on your game activity we may collect whenever you play our games, including before or otherwise outside the scope of the Research. In some cases, we may also receive data from a third party who supports our Research (for example, by searching for research participants or helping us analyze research results).

Participation in the Research is entirely voluntary, which means that providing data to us is not mandatory. However, unless the Research is conducted anonymously, you will be required to provide data to us if you wish to participate in the Research. When Research is conducted anonymously, this is usually specifically mentioned.

6    Who do we share your data with?

We may share your data with third parties to achieve the purposes described in this notice. This may include sharing data with the following types of recipients:

  • other companies in the Rovio group, for example where they help us develop or operate the games or other products to which the Research relates,
  • companies outside of the Rovio group that provide services to us and that process data on our behalf when providing those services (including, for example, providers of hosting services, communications services, or research technology or analysis),
  • a prospective or actual buyer (and their agents or advisors) in the context of a planned or actual acquisition, merger, or other business restructuring
  • competent courts of law or other government authorities where we believe disclosure is necessary as a matter of applicable law or regulation,
  • any person or entity where we believe disclosure is necessary to exercise, establish or defend our legal rights, or to protect your or another person’s vital interests, or
  • with any other person or entity with your consent.

In connection with the processing activities described in this notice, your data may be transferred to and/or processed in countries outside of the European Union (“EU”) and the European Economic Area (“EEA”). For example, a number of servers we use for hosting data are located in the United States, and some of our group companies involved in the Research or the service providers we use for conducting the Research may be located outside of the EU and the EEA. These countries may have data protection laws that differ from the laws of your country. In these cases, we will provide appropriate safeguards to protect your personal data. These safeguards may include compliance with the European Commission’s standard contractual clauses for transfers of personal data or reliance on the EU-US Privacy Shield framework. Upon request, we can provide you a copy of the European Commission’s standard contractual clauses and further details on the applicable safeguards.

7    How long do we keep your data?

We will keep your data for as long as necessary to achieve the purpose(s) for which it was collected. Our current policy is to retain Research data for up to three years from the end of the calendar year during which it was collected. If you have asked to join our registry of those interested in participating in Research, we may, however, keep your information in that registry until you ask us to remove you from it.

After the applicable retention period, we will either delete or de-identify your data or, if neither deletion or de-identification is possible (for example, due to data being stored on a backup server), isolate your data from further processing until deletion or de-identification is possible. We may keep and continue to use data that is no longer identifiable to you (for example, aggregate data).

8    How do we keep your data secure?

We have adopted measures to provide your data a level of security appropriate for the degree of risk involved with the processing activities described in this notice. These measures are designed to protect your data against accidental or unlawful destruction, loss, or alteration as well as unauthorized disclosure or access. The specific measures we employ vary, but typically include, for example, encryption in transit, pseudonymization of identifying data where feasible, controls to limit access to services or systems that contain personal data, contractual safeguards with third parties who process data, and maintaining procedures to handle any suspected security incidents.

9    Your rights

If we are processing your data, you have the right to:

  • access, correct, or request the deletion of your data,
  • request us to restrict our processing of your data,
  • object to our processing of your data to the extent our processing is based on our legitimate interests or the legitimate interests of a third party, or
  • where technically feasible, request a copy of the personal data you have provided to us in machine-readable format.

Where our processing of your data is based on your consent, you also have the right to withdraw your consent at any time. Please be aware that we may continue processing your data despite your withdrawal of consent, if we have a lawful basis for doing so.

To exercise any of your rights, please contact us by email at privacy@rovio.com. To fulfill your request, we may need to confirm your identity to verify your right to make the request, which may involve requesting additional information from you. While we will usually not do so, we reserve the right to charge an appropriate fee from you for the exercise of your rights where permitted by applicable laws and regulations.

Finally, you always have the right to lodge a complaint with your local data protection authority regarding our processing of your data. For more information, please contact your local data protection authority (for example, the Office of the Data Protection Ombudsman in Finland).

10    Changes

We may update this notice from time to time, for example due to changes in our operations or the legal obligations that apply to us. Updates will be made available here. We may also inform you of any changes by other means that are appropriate to the significance of the changes.