16 / 05 / 2022

The data controller may not restrict the data subject's rights under GDPR

The data controller may not restrict the data subject's rights under GDPR

Service providers try to limit the data subject's rights in their agreements. According to the GDPR, it is only permitted to limit these rights in special cases. The restriction may therefore be illegal and result in fines.

An attempt to limit rights

An example of said limitation may be illustrated with a video game that came out this spring where a game distributor changed its end-user agreement. The change means that the distributor / service provider (data controller) uses a third party / subcontractor (data processor) for an additional service to the game. This is generally unproblematic. The problem arises in that the data controller requires the user (the data subject) to consent to the data processor being able to process the data subject's personal data to access the game. This is not allowed.


The aforementioned case is also seen with other IT service providers, not just with game distributors.


Must have a legal basis for the treatment

The starting point is that you, as the person responsible for processing, must have a legal basis for the processing, for example either a consent or legal basis in an agreement.


Requirements for a valid consent

The consent must be well-informed and voluntary for there to be a valid legal basis. The data controller must provide information on what consent is given for, what information is processed and the purpose of the processing so that the data subject can assess whether consent should be given. If the data subject does not have a real choice, feels compelled or experiences negative consequences by not consenting, the consent is invalid.


In the case of the game distributor, consent is required to use the game. This means that the user is not given a real choice and creates a feeling of coercion. This is not allowed.


Cannot merge the end user agreement with a consent to data processing

Any form of inappropriate pressure or influence that prevents the data subject from exercising his or her free will means that the processing is illegal. An example of such situations is where the data controller "merges" consent to processing data with acceptance of an end-user agreement. Another example is where consent to processing data is required to provide the service, even if the processing is not necessary for the service delivery. The latter means that the processing extends beyond the purpose of the processing and beyond what is necessary to fulfill an agreement with the data subject.


For the game distributor, the purpose of the processing is to deliver the game to the user. The amendment to the agreement deals with the "third party" service and collection of personal information. That service is an additional software that is installed on the user's PC at the same time as the game to monitor the PC. The purpose is to detect if the user is trying to cheat / hack the game. The distributor only refers to the "third party" privacy statement in its end user agreement. It is not possible to understand the purpose of this treatment. It is also not possible to know which personal data is collected and how the personal data is processed by the third party. This is a merging of consent to processing data with acceptance of an end-user agreement. That is illegal.


The "third party" privacy statement also opens up for identifying and publishing information about any "cheaters" / "hackers". This goes beyond what is the purpose of the processing or necessary to fulfill any purpose in an agreement. Consequently, the gaming distributor is acting in violation of the GDPR.


GDPR trumphs economic interests

A question that may arise with the reader is "if a user / buyer thinks my service is not in accordance with GDPR, then it can stop using my service or buy the service from someone else?" The answer is that all service providers with EU / EEA as a market segment must comply with Union law as well as national law. The service provider is thus bound by the GDPR. It has also been stated by the European Court of Justice that fundamental rights in the GDPR trump the financial interests of the service provider.


A service provider thus has no opportunity to demand consent to provide its services. The consequence of requiring consent to provide their services may be illegal and result in fines.


As a service provider, you should be careful about limiting the data subject's rights. If you are unsure whether you limit these, you should consider whether the processing is necessary to fulfill the agreement with the data subject based on the purpose of the data processing.


John E. Nilsen

John E. Nilsen