Request to remove my personal information from Blizzard API according to GDRP

API Discussion
Let's suppose I want to remove my characters from Blizzard API and worldofwarcraft.com website according to GDRP. I consider my character names my personal information and want to remove it.

Is it possible and how do I do that?
This topic is not a real request. In order to decide how to react to such requests myself (there are not many, but they happen sometimes), I want to check how Blizzard would react to such requests since there are better lawyers consulting them.
i think you will find something like this in the tos "any and all info pertaining to warcraft is property of blizzard" i am sure meaning you done "own" your toons names

i could be wrong a blue would need to confirm
My guess would be that the answer would be if you delete your account, your characters would then no longer show via the API. It doesn't really answer your real question of course, which I doubt Blizzard will ever answer.
My thoughts are that Blizzard will delete your account with your history of visits, payments, conversations and so on.
If you receive from someone request to remove their character from your service - you don't have to do it because Blizzard are owners of them. However you can can remove that person's history of visits, some data that you collected (first and last name, address, phone, etc.)

10/07/2018 01:19 PMPosted by Ulminia
i could be wrong a blue would need to confirm
IANAL, but I do work extensively with folks to comply with the GDPR. One aspect of the GDPR is that personal information is absolutely controlled by the individual, not the business. Nothing a business says can change the right of the individual to control information related to them. So while Blizz may "own" those records, the people that are related to them have the right to control the information dissemination.

Blizzard has changed their terms and conditions to explicitly allow them to collect and disseminate your account information. (This is required under the GDPR.) I suspect that if a European customer sent a legally compliant GDPR request to block dissemination of their data, Blizzard would delete all of the information on their servers related to that account. That would satisfy the law. And it is much cheaper and easier than trying to build an infrastructure around accounts that can't have information shared. They could even do that in a way that lets you keep playing--just set your account to delete all characters on logout. That obviously would be a suboptimal way to play WoW, but GDPR doesn't require that your game be fun.
10/09/2018 05:53 AMPosted by Kula
IANAL, but I do work extensively with folks to comply with the GDPR. One aspect of the GDPR is that personal information is absolutely controlled by the individual, not the business. Nothing a business says can change the right of the individual to control information related to them. So while Blizz may "own" those records, the people that are related to them have the right to control the information dissemination.

Blizzard has changed their terms and conditions to explicitly allow them to collect and disseminate your account information. (This is required under the GDPR.) I suspect that if a European customer sent a legally compliant GDPR request to block dissemination of their data, Blizzard would delete all of the information on their servers related to that account. That would satisfy the law. And it is much cheaper and easier than trying to build an infrastructure around accounts that can't have information shared. They could even do that in a way that lets you keep playing--just set your account to delete all characters on logout. That obviously would be a suboptimal way to play WoW, but GDPR doesn't require that your game be fun.


When working with Orgs to assistance with the compliance to GRPD, what type of information do some organizations use "Legitimate Interest" .

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.


Here is a VERY good example that can easily apply here.

https://www.gdpreu.org/the-regulation/key-concepts/legitimate-interest/


To demonstrate why this concept is sensible in the real life, consider the case where a data subject makes a pizza purchase online by submitting his delivery address. Here, the data subject is a client of the pizza merchant, who has a legitimate interest in fulfilling the delivery, where the processing of the subject’s personal data (address) also passes the “necessary” requirement. The merchant therefore does not need to add a checkbox during the checkout process that asks for permission to process the subject’s address, since the subject can reasonably expect this processing to take place as he submitted this information. That said, the merchant does not have a blanket, perpetual license to take advantage of this delivery address for other purposes, such as by selling it to the next door Chinese restaurant to send marketing materials to.


Here is another site that talks about it.
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/


Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.
Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority.
There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:
identify a legitimate interest;
show that the processing is necessary to achieve it; and
balance it against the individual’s interests, rights and freedoms.
The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.
You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.
You must include details of your legitimate interests in your privacy information.


The data available through the API cannot cause any kind of harm AND is covered in the EU privacy policy.

https://www.blizzard.com/en-gb/legal/8c41e7e6-0b61-42c4-a674-c91d8e8d68d3/blizzard-entertainment-privacy-policy


Legitimate interest. We use your data for purposes that are not harmful to your privacy and that can be reasonably expected within the context of your relationship with Blizzard. This includes using information for:

Ad Targeting via ‘Paid Media’
Ad Targeting via ‘Custom Audience’ and similar systems—Appropriate ads for players considering their previous purchases (Your unencrypted personal data are never shared with third parties without your consent.)
Analytics & Data Segmentation
Business Optimization and Service Development
Publishing Email - Marketing Campaigns
Research Groups
Training & Development
Customer Support


In my opinion, based on the facts presented above, consumers of the API have nothing to worry about.
10/09/2018 05:53 AMPosted by Kula
IANAL, but I do work extensively with folks to comply with the GDPR. One aspect of the GDPR is that personal information is absolutely controlled by the individual, not the business. Nothing a business says can change the right of the individual to control information related to them. So while Blizz may "own" those records, the people that are related to them have the right to control the information dissemination.

Blizzard has changed their terms and conditions to explicitly allow them to collect and disseminate your account information. (This is required under the GDPR.) I suspect that if a European customer sent a legally compliant GDPR request to block dissemination of their data, Blizzard would delete all of the information on their servers related to that account. That would satisfy the law. And it is much cheaper and easier than trying to build an infrastructure around accounts that can't have information shared. They could even do that in a way that lets you keep playing--just set your account to delete all characters on logout. That obviously would be a suboptimal way to play WoW, but GDPR doesn't require that your game be fun.


As far as deleting the data, EU users can request the information be deleted or get a copy of it. If its deleted, you can no longer play or use any Blizzard product related to that account nor is that data recoverable.
Some information for everyone reading this.

When you accept the ToS before playing, you willing agreed to the fact that Blizzard owns the account, can do anything to the account at any time for whichever reason they'd like.

We as consumers do not "own" anything when it comes to blizzard, battle.net, etc...

WE simply have an agreement with Blizzard to allow us to play their game. :)

Join the Conversation

Return to Forum