Data Processing Agreement FAQ

Frequently asked questions about the data processing agreement needed to be signed when contracting Fans United to handle your users data.

Suggest Edits

I have my own authentication system where I keep the user profile data. Why do you need gender? What is it used for?

Gender is used for reports. It can also be used to fetch a particular subset of users in order to be targetted with content, ads, etc.

I have my own authentication system where I keep the user profile data. Why do you need country of residence? What is it used for?

Country is used for reports, especially for international clients/customers. It can also be used to fetch a particular subset of users in order to be targetted with content, ads, etc.

I have my own authentication system where I keep the user profile data. Why do you need birth date? What is it used for?

The birth date is used to detirmine age and is used for reports. It can also be used to fetch a particular subset of users in order to be targetted with content, ads, etc.

I have my own authentication system where I keep the user profile data. Why do you need email? What is it used for?

The email is used for integrations with communication services such as email delivery platforms. Fans United integrates with systems such as MailChimp, Sendgrid, etc. The email is used as a unique identifier in those systems.

However, it must be said, that these are opt-in. We only need the email if you want to send emails to particular set of users.

I have my own authentication system where I keep the user profile data. Why do you need names and nickname/username? What are they used for?

Names and nickname/username are used for rankings of users. We make them available for the client in order to have an easy integration. For example, 1st place is George Smith, 2nd place is Michael Dell, etc.
Addendum 1 of the DPA states that data regarding “avatar (only when contains biometric data)” is collected.

What type of biometric data is referred therein, why, and how is it collected?

This is just in case that the user uploads a picture of themselves, which can be consider biometric.

Can Fans United, from a technical point of view, work without email, names, username/nickname, avatar, gender, birth date or country?

As far as Fans United is concerned, we can skip:

  • The names, username and avatar. However, this will mean, that the client will have to fetch them from authentication service (e.g. Ringier Connect) each time on demand, when they want to display something. Although technicallly possible (if the authentication service supports it), it will be difficult and cumbersome to do.
  • Gender, country and birth date can be skipped as well, but the breakdown in the reports will be lost. Also, specific functionality will be not work. For instance, if you want to take a subsection of users who are above 18 years of age, in order to send them alcohol related ads or content.

How does Fans United collect user data? More precisely, does the client/customer collect the game interaction user data and further send it to Fans United or does Fans United collect the game interaction user data directly from the client/customer website?

Fans United does not have the ability to automatically collect data. All data processed by Fans United is sent by the client/customer, on behalf of the user.

For example, the client/customer builds a game participation form where the user inputs their predictions. Upon clicking the “Send“ button, the client collects the user input and sends it to Fans United.

Example 2: The user reads an article about Manchester United, Premier League and Cristiano Ronaldo. The client then sends an event to Fans United that this particular user has read this particular article. It is up to the client to decide what they want to send or not. They can also manipulate the request to remove some things or enrich the data sent to Fans United.

The client is in complete control.

Where will the personal data received from the users be stored (e.g servers located within EEA / outside EEA, nationality of the owner of servers/providers the storage services) and who will have access to it (including nationality, capacity – e.g. processor/controller and location from which data may be accessed)?

We store the data inside the EU. Fans United is hosted on Google’s cloud infrastructure, in their datacenter in Belgium.

Access to the data have only a limited number of Fans United engineers and support staff who need it for solving problems and support.

One of the processing operations mentioned is analysis (including automated profiling). What does the automated profiling entails?

On behalf of the client/customer, given they sent/provided us the information, we can then organise users based on their recency, frequency and effort spent. We can then group the users to different personas based on their behavior.

This allows the client/customer to do things like: “Send an email to all the users who used to frequently visit the website but have not visited for a while.” This can be done, not only overall, but for specific sports entity. For example: “Send a notification to the users who used to engage with Barcelona content, but have not in a while”.

One of the processing operations mentioned is disclosure. To whom the data will be disclosed and what is the capacity of the third party accessing the data? Are there any third parties involved in the processing of the user data received from client/customer?

Any 3rd-party service the client/customer uses. For example, if the client/customer makes a deal to use MailChimp for sending emails, we need to give MailChimp the emails.

Fans Untied, currently, no 3rd-party has been integrated and has access to the user data, but any future 3rd-party processing will be optional. For example, let’s say Fans United makes a deal with a company that can build machine learning models for some form of behaviour analysis. The client/customer will have to make a deal with that company and then notifiy us “give our user’s data to company X”.

Long story short, disclosing data with third parties, provided it’s not government issued, is optional and up to the client/customer.

In order to comply with the user’s right of access to personal data, does Fan Entertainment have the possibility to export all of the user’s registered activity?

Yes. We even have the ability to show the user all their activity we have collected. So for example, the client/customer can build a page called “My activity” and the user can see what was collected for them.

The DPA, states that: “Licensee agrees that Fan Entertainment and Licensee each act as Controllers (as such term is defined in the GDPR) in respect of all other services that Fan Entertainment provides to the Licensee”. To what other services does this clause make reference?

Fans United provides consultancy, custom development and support services. Other services, requested on demand, might be provided, given that Fans Untied team has the necessary capacity.

Does the user have the possibility to delete directly from the user account the activity information regarding the games they participated in?

When speaking of the “user account”, it’s up to the client/customer if they decide to give this possibility to the user (add the functionality to the UI).

Fans United itself has the ability to delete only future predictions (those that have not been resolved yet).

For example, if the user makes a prediction about a match that is playing tomorrow, they have until the match starts to delete their prediction. If the match starts, they can no longer delete their prediction.

We do this, because since many of the games come with rankings and prizes, deleting past predictions can inflict changes to the ranking, possibly prizes given away, etc.

What happens in case the user deletes the Ringier Connect account? Does Fan Entertainment know of such action of the user?

Yes, we do. And we anonymise the account. We do not delete it. We change the names to “Deleted account”, change the email to “deleted-{random number}@deleted.com”. We also remove, gender, birthday, country, avatar, nickname, any interests the user might have declared. We remove the user from the lists of “Following” and “Followers” of other users.

We do all this because of the same reason from the above point. Deleting the user itself will result in change of rankings.

What happens in case the user deletes their account in the original authentication system? Does Fan Entertainment know of such action of the user?

Provided that the original authentication system notifies Fans United, we do. This can be achieved via webhook or API calls. Fans United anonymises the account. We do not delete it. We change the names to “Deleted account”, change the email to “deleted-{random number}@deleted.com”. We also remove, gender, birthday, country, avatar, nickname, any interests the user might have declared. We remove the user from the lists of “Following” and “Followers” of other users.

We do all this because of the same reason from the above point. Deleting the user itself will result in change of rankings.

What type of user information could Fan Entertainment delete without affecting the overall provision of services?

Fans United can delete all the personal data (without the user ID), interests, the “follow“ activity and all future predictions. While this will not affect the overall provision of services, some services will be incapacitated. For instance, if the email is deleted, the notification system will not work. If the demographic data is deleted from the profile, this will affect the reporting, and so on.

The DPA provides that, even after user data is deleted, Fan Entertainment withholds the right to use for its own purposes any information and data, received based on annonymisation of Personal Data. Does Fan Entertainment apply annonymisation to the personal data received from client/customer? What is the reason for withholding the respective data and for what purposes will the data be used?

Yes we apply annonymisation. The anonymised data stays because of the rankings and we use it for statistical reports such as “How many predictions made?”.

What is the difference between Fans United and Fan Entertainment?

Fan Entertainment LTD. is the company (legal entity), registered in Bulgaria. Fans United is the product/platform name.

Updated 4 months ago