1.1 The Policy covers all Personal Data in any form, including but not limited to electronic data, paper documents and disks and all types of Processing, whether manual or automated that is under Asmodee Group’s possession or control, in all geographies areas where Asmodee Group operates. This will include information held about Asmodee Group members, partners, employees, consultants, clients, consumers, suppliers, business contacts and any third parties.
1.2 We do care about minors protection and have implemented some reasonable measures to prevent the Processing of minors Personal Data. Therefore, we do not process Personal Data from children without checking their digital age which may vary from a country to another and obtaining their guardian’s consent on their behalf if they do not have the minimum age required to provide their Personal Data to us.
2.1 Asmodee Group shall mean the company Financière Amuse BidCo (RCS Versailles 815 143 904) and the various Financière Amuse BidCo affiliates which are part of the Asmodee group.
2.2 Affiliate shall mean any corporation or other entity which directly or indirectly controls or is controlled by or is under common control with Financière Amuse BidCo. “Control” of an entity shall mean possession, directly or indirectly, of power to direct or cause the direction of management or policies of such entity, whether through ownership of voting securities, by contract or otherwise.
2.3 Third Party shall mean a third party or business Partner who receives from Asmodee Group or who is otherwise entrusted with Personal Data on behalf of Asmodee Group, for example suppliers, contractors, sub-contractors and other service providers.
2.4 Data Subject shall mean an identified or identifiable person whose Personal Data is being processed by Asmodee Group.
2.5 Informed Consent shall mean any freely given specific and informed indication of the Data Subject’s agreement to the Processing of his/her Personal Data.
2.6 Personal Data shall mean any information capable of identifying a natural person, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. Data is considered personal when it enables anyone to link information to a specific person, even if the person or entity holding that data cannot make that link.
2.7 Sensitive Data (or Special Category of Data which include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation) and Personal Data relating to criminal convictions and offences are a subset of Personal Data, which due to their nature have been classified by law or by an applicable policy as deserving additional privacy and security protections
2.8 Process / Processing shall mean any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, including, but not limited to collection, recording, organization, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction (and Process shall be interpreted accordingly).
3. How do we ensure the lawfulness, fairness and transparency of our Personal Data Processing?
Personal Data is processed on the basis of legal grounds with the informed knowledge of the Data Subjects
3.1 We will only use Personal Data:
- if necessary to perform a contract with the Data Subjects (e.g. our employees, contractors, clients, suppliers etc.); or
- if required to comply with a legal obligation; or
- where we have a legitimate business need or a legitimate business reason to use Personal Data as part of our business activities (e.g. when carrying out a Processing to better know our clients) ; or
- where we have the Data Subject’s Informed Consent when it is specifically required. For instance where required by law (e.g. to send marketing information through electronic communication means) or by applicable policy, the Affiliate concerned of the Asmodee Group may need to obtain the consent of Data Subjects in order to collect, use, retain and disclose their Personal Data. This may also be the case where no other valid grounds described above is applicable and to the extent permitted under applicable law.
3.2 We consider that it is important to assess the privacy risks before we collect, use, retain or disclose Personal Data, such as in a new system or as part of a project.
3.3 Asmodee Group will only Process Personal Data in the way described in its specific privacy notices or privacy policies and in accordance with any Informed Consent we may have obtained from the Data Subject.
3.4 Asmodee Group will not carry out profiling activities based on automated decision making, unless legally grounded on a requirement of applicable law or the performance of a contract or the Data Subject’s consent and provided that suitable safeguards are implemented to protect the Data Subjects rights.
3.6 Where legally required, we will ensure that Data Subjects are provided with relevant information, concerning the Processing of their Personal Data, unless there is an impossibility to provide such information or if it requires disproportionate efforts to provide such information. Such information will notably include, the purposes of the data Processing, the types of data collected (if the data have not been obtained directly from the data subject), the categories of recipients, the list of rights which may be exercised by the Data Subjects, the consequences of a failure to reply, the conditions of the transfer of Personal Data outside EU, if any, and the mechanism used to protect the data in the event of a transfer, etc. This requirement may be satisfied by issuing a privacy notice to Data Subjects at the point where Personal Data are originally collected from them. Privacy notices shall be written in language which provides Data Subjects with a clear understanding as to how their Personal Data will be used.
4. How do we process Personal Data for specific and legitimate purpose and verify that Personal Data is minimized and accurate?
Personal Data will only be collected and processed for legitimate purposes, complying with the Personal Data minimization principle and ensuring the accuracy of the Personal Data processed.
4.1 Personal Data will be collected for specified, explicit and legitimate purposes (which could be multiple) and not further processed in a manner that is incompatible with those purposes.
4.2 We carefully evaluate and define the purposes of the Personal Data Processing before launching a project (e.g. management of HR data, management of recruitment data; payroll purpose, accounting and financial management, risk management, management of employees’ safety, allocation of IT tools and any other digital solutions or collaborative platforms, IT support management, health and safety management, information security management, client relationship management, bids, sales and marketing management, supply management, internal and external communication and events management, compliance with anti-money laundering and anti-bribery obligations or any other legal requirements, data analytics operations, implementation of compliance processes , management of mergers and acquisition, etc.).
4.3 We will ensure that the Personal Data we collect are relevant, adequate and not excessive in relation to the purpose of the Data Processing and its eventual use (insights, marketing, promotions, etc.). This means that only necessary and relevant information for the purpose sought can be collected and processed.
4.4 When collecting Sensitive Data or Personal Data relating to criminal convictions and offences, proportionality is fundamental! We do not collect Sensitive Data or Personal Data relating to criminal convictions and offences, unless required by applicable law or when allowed by applicable law with the Data Subject’s prior express consent.
4.5 Every reasonable step will be taken to ensure that Personal Data are maintained in an appropriately accurate and up-to-date form at every step of Personal Data Processing (i.e. collect, transfer, storage and retrieval).
4.6 We encourage the Data Subjects to help us maintaining your Personal Data up to date by exercising your rights notably of access and rectification.
5. What Security and confidentiality measures are implemented?
Since Employees, customers, suppliers, consumers and business partners put their trust in Asmodee Group when they provide us with their Personal Data, Asmodee Group ensures the security and confidentiality of the Personal Data it Processes.
5.1 We protect any Personal Data collected, used, retained and disclosed to support our business activities by following the relevant usage, technical and organizational policies, standards and processes.
5.2 Industry standard technical and organizational measures are implemented to prevent against accidental or unlawful destruction or loss, alteration, unauthorized disclosure or access, or any other unlawful or unauthorized forms of Processing.
5.3 Where Processing is to be carried out on behalf of Asmodee Group, it will select service providers providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that Processing will meet the requirements of applicable data protection laws and ensure the protection of the rights of the data subject.
5.4 Asmodee Group endeavors to take reasonable measures based on Privacy by design and Privacy by default (as defined hereafter) as appropriate to implement necessary safeguards when processing Personal Data Processing. Asmodee Group will thus implement technical and organisational measures, at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the start (‘Privacy by design’). By default, Asmodee Group should ensure that Personal Data is processed with privacy protection (for example only the data necessary should be processed, short storage period, limited accessibility) so that by default Personal Data is not made accessible to an indefinite number of persons (‘Privacy by default’).
5.5 When a Personal Data Processing is likely to result in a high risk to the rights and freedoms of Data Subjects, we will carry out a privacy impact assessment prior to its implementation.
5.7 Further information on the IT security measures are described in Asmodee Group Security Program which includes in particular IT Usage Policy and any other security measures available within the Asmodee Group.
6. For how long do we keep your Personal Data?
6.1 Any person handling Personal Data for Asmodee Group will keep it only for as long as it is necessary for the purpose for which it has been collected and processed (and other compatible purposes) which may include:
- to meet or support a business activity; or
- to comply with a legal or regulatory requirement and comply with applicable statute of limitation requirements;
- to defend against legal or contractual actions (in which case, the Personal Data may be retained until the end of the corresponding statute of limitation or in accordance with any applicable litigation hold policies).
6.2 Personal Data is retained and destroyed in a manner consistent with applicable law and in accordance with Asmodee Group applicable retention policy.
7. What are your rights, as Data Subject?
We are receptive to queries or requests made by Data Subjects in connection with their Personal Data and where required by law, we provide Data Subjects with the ability to access, correct, restrict and erase their Personal Data as set forth by applicable law. We also allow them to oppose the Processing of their Personal Data, and to exercise their right to portability.
7.1 Access right: we will provide access to all Personal Data related to a Data Subject as required by law, to the purposes of the Processing, categories of data processed, categories of recipients, data retention term, rights to rectify, delete or restrict the data accessed if applicable, etc.).
7.2 Right to portability: we may also provide a copy of any Personal Data that We hold in our records in a format compatible and structured to allow the exercise of right to data portability to the extent it is relevant under applicable law.
7.3 Right to rectification: Data Subjects can request to correct, amend, erase, any information which is incomplete, out of date or inaccurate.
7.4 Right to erasure: Data Subjects can request the deletion of their Personal Data (i) if such Personal Data is no longer necessary for the purpose of the data Processing, (ii) the Data Subject has withdrawn his/her consent on the data Processing based exclusively on such consent, (iii) the Data Subject objected to the data Processing, (iv) the Personal Data Processing is unlawful, (v) the Personal Data must be erased to comply with a legal obligation applicable to Asmodee Group. Asmodee Group will take reasonable steps to inform the other entities of the Asmodee Group of such erasure.
7.5 Right to restriction: (i) in the event the accuracy of the Personal Data is contested to allow Asmodee Group to check such accuracy, (ii) if the Data Subject wishes to restrict the Personal Data rather than deleting it despite the fact that the Processing is unlawful, (iii) if the Data Subject wishes Asmodee Group to keep the Personal Data because he/she needs it for his/her defense in the context of legal claims (iv) if the Data Subject has objected to the Processing but Asmodee Group conducts verification to check whether it has legitimate grounds for such Processing which may override the Data Subject’s own rights.
7.6 Right to withdraw his/her consent: when the Personal Data Processing is based on Data Subject’s consent, Data Subject may withdraw such consent at any moment, without affecting the lawfulness of Processing based on consent before its withdrawal.
7.7 Right to object: Data Subject can also indicate his/her objection to the Processing of his/her Personal Data at any time:
- when used for marketing purpose or profiling to send targeted advertising, or
- to object to the sharing of his/her Personal Data with third parties or within the Asmodee Group, or
- when the Processing is based on the legitimate interest of Asmodee Group, unless Asmodee Group demonstrates compelling legitimate grounds for the Processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defense of legal claims.
To exercise these rights, please complete the form and send it at the address indicated in the form.
Data Subject has also the right to lodge a complaint with the competent supervisory authority.
8. When and how do we disclose your Personal Data to third parties?
Personal Data is only disclosed outside Asmodee Group where there is an overarching legal justification to do this.
8.1 Disclosure is made on a strictly limited ‘need to know’ basis where there is clear justification for transferring Personal Data - either because the Data Subject has consented to the transfer or because disclosure is required to perform a contract to which the Data Subject is a party, or for a legitimate purpose that does not infringe the Data Subject’s fundamental rights, including the right to privacy (e.g. sharing in the context of a merger and acquisition operation etc.). In each case the Data Subject will be aware that the disclosure is likely to take place. Assurances will also be sought from the recipient that they will only use the Personal Data for legitimate / authorized purposes and keep it secure.
8.2 If a particular disclosure is required to meet a legal obligation (for example to a government agency or police force / security service) or in connection with legal proceedings, generally the Personal Data may be provided so long as the disclosure is limited to that which is legally required and, if permitted by law, the Data Subject has been made aware of the situation (i.e. the Data Subject was told of the possibility of such an event in an Informed Consent or is notified at the time of the request for disclosure).
9. How are international transfers of Personal Data from EU protected?
Personal Data originating from those Asmodee Group entities operating within the EU will not be transferred outside the EU to a third country which does not ensure an adequate level of protection unless appropriate safeguards are implemented in accordance with applicable laws.
9.1 International Personal Data transfer is a very sensitive topic and taken seriously before transferring any Personal Data from its EEA (European Economic Area or “EEA”) country of origin to another non EEA country, whether such transfer is done for technical purposes (storage, hosting, technical support, maintenance etc.) or the main purposes (Human Resources management, clients database management, etc.).
9.2 We never carry out international transfers of Personal Data from a EEA country to another non EEA country without ensuring that appropriate transfer mechanisms as required by applicable data protection laws are in place, to ensure adequate protection of the data when transferred (e.g. adequacy decision, privacy shield certification if the transfer is made to the US, signature of EU Commission model clauses as appropriate, etc.). In some cases, we may also have to notify or gain pre-approval from the relevant privacy regulator prior to the transfer taking place.
10. How do we handle complaints?
10.2 Data Subjects are informed that they can complain about privacy issues by writing an email to the Legal Department of Asmodee Holding at the following address : email@example.com, and that they may file a complaint with a supervisory authority. In particular, this shall be expressly specified in the privacy notices communicated to and/or accessible by Data Subjects.
Customer B2C Privacy Notice
Your privacy is important to Asmodee. This Privacy Notice explains how we handle and treat your personal data when you use the products or services that Asmodee provides.
This Privacy Notice explains our approach to any personal data that we collect from you or that we have obtained about you from a third party and the purposes for which we process your personal data. It also sets out your rights in respect of our processing of your personal data.
We may collect personal data from you in the course of our business, including when you use our applications and websites, when you enter in our competitions or participate in tournaments, or when you contact or request information from us.
- Who is responsible for your personal data?
- Minimum age
- What personal data do we collect about you?
- How do we use your personal data?
- Who do we disclose your personal data to?
- How long do we retain your personal data?
- Security of your personal data
- What are your rights?
- Contact and complaints
- Changes to this Privacy Notice
1. Who is responsible for your personal data?
Asmodee Group, with registered office in 18 rue Jacqueline Auriol - 78280 Guyancourt (France) and company number 399 899 806 (“Asmodee” or “we”), is the controller of your personal data.
2. Minimum age
Protecting the safety and privacy of children is very important to us. We do not knowingly collect or use personal data from anyone under the age of 15 years old, without the consent of both the child and the holder of parental responsibility. Therefore, you represent that you are at least 15 years old or above when you provide your personal data in relation to our products or services. If you are not at least 15 years old, you must ask the consent of your parent or legal guardian to provide us with your personal data. In this case, please contact the contact details indicated in Article 9 below.
3. What personal data do we collect about you?
We collect information regarding you, such as:
- Identification data such as your first and last names and your birthdate,
- Data relating to your personal life such as your personal email or postal address,
- Your connection data when you access our applications and websites,
- Your personal habits with respect to the use of our games,
- Your food preferences in the context of a tournament where we provide foods to participants, and
- Other information necessary to provide our products and services, and to respond to your queries.
4. How do we use your personal data?
We use your personal data for the purposes listed below. Whenever we process your personal data, we do so on the basis of a lawful “justification” (or lawful basis) for processing, which we have identified in the table below.
|Purpose for processing||Lawful basis|
|1||To fulfil your requests for certain products and services.||This processing is necessary to perform the contract between you and Asmodee.|
|2||To manage your personal Asmodee account.||This processing is necessary to perform the contract between you and Asmodee.|
|3||To administer promotional offers, contests or other promotional events, such as tournaments, and notify winners.||This processing is necessary to perform the contract between you and Asmodee.|
|4||To respond to your queries or complaints.||This processing is based in your consent.|
|5||To send you marketing communications regarding our services and products.||We consider that we have a legitimate interest in ensuring that our customers are kept up to date with information about our products and services, as this helps us to preserve our business operations or grow our business. However, where we are required by law to obtain your consent before sending you such information, we will rely upon such consent as our basis for processing.|
|6||To comply with any applicable law, court order, other judicial process, or the requirements of a regulator.||This processing is necessary to comply with our legal obligations.|
|7||To enforce our agreements with you.||We consider that we have a legitimate interest in ensuring that our contracts are performed correctly and in defending our rights where necessary.|
|8||To enforce our legal rights and obligations, and for any purposes in connection with any legal claims made by, against or otherwise involving you.||We consider that we have a legitimate interest in protecting our organization from breaches of legal obligations owed to it and to defend itself from litigation.|
|9||To protect the rights of third parties.||This processing is necessary for the compliance with legal obligations to which Asmodee is subject. This processing is also necessary for the purpose of the legitimate interests pursued by Asmodee. We consider that we have a legitimate interest in ensuring our activities do not violate any third parties’ rights.|
|10||In contemplation of and/or in connection with a business transaction such as a merger, or a restructuring, or sale.||We consider that we have a legitimate interest as we need to be able to make decisions relating to the future of our business in order to preserve our business operations or grow our business.|
5. Who do we disclose your personal data to?
We may share your personal data with a variety of the following categories of third parties as necessary:
- Other entities of the Asmodee group (the list of Asmodee affiliates is available here),
- Third party service providers (maintenance, storage, payment, logistics, marketing services, etc.), for the purposes described in Section 3 above,
- Our professional advisers su- ch as lawyers and accountants, auditors,
- Government or regulatory authorities,
- Professional indemnity or other relevant insurers,
- Regulators/tax authorities/corporate registries, and
Please note this list is non-exhaustive and there may be other examples where we need to share with other parties where justified by our legitimate interest, permitted by applicable law, or necessary for compliance with a legal obligation to which we are subject.
In this context, your personal data may be transferred outside the European Economic Area (EEA), to countries not offering a level of protection of personal data equivalent to that offered within the EEA, such as China, USA, Canada, etc. In the absence of an adequacy decision of the European Commission, the transfer of your personal data will be made pursuant to standard contractual clauses adopted by the European Commission.
6. How long do we retain your personal data?
Our general approach is to retain your personal data only for as long as required to fulfil the purposes for which it was collected. We generally retain your personal data for the duration strictly necessary for the management of our relationship with you. However, unless you object, we retain your personal data used for marketing purposes for an additional 3-years period after the end of our relationship with you.
However, we may in addition retain personal data for longer periods of time, for instance where we are required to do so in accordance with legal, tax and accounting requirements, or where such data is necessary to establish the existence of a right or contract. In that case, your personal data will be archived and retained for the duration imposed by applicable law, or for the duration of the applicable statute of limitations.
When your personal data will no longer be necessary, we will delete or anonymize them.
7. Security of your personal data
We are committed to keeping your personal data secure and we have implemented appropriate information security policies, rules and technical measures to protect it from unauthorised access, improper use or disclosure, unauthorised modification and unlawful destruction or accidental loss.
All of our partners, employees, consultants, workers and data processors, who have access to, and are associated with the processing of personal data, are obliged to respect its confidentiality.
8. What are your rights?
You have a number of rights in relation to your personal data. More information about each of these rights is set out below:
- Withdrawal of consent. You can withdraw at any time your consent in respect of any processing of personal data based on your consent, without affecting the lawfulness of processing based on your consent before its withdrawal.
- Access. You can ask us to confirm whether we process your personal data and, as the case may be, inform you of the characteristics of such processing, allow you to access such data and give you a copy of it.
- Rectification. You can ask us to rectify or complete inaccurate or incomplete personal data.
- Erasure. You can ask us to erase your personal data in the following cases: where it is no longer necessary for the purposes for which it was collected; you withdrew your consent; you objected to the processing of your personal data; your personal data has been processed unlawfully; or to comply with a legal obligation. We are not required to comply with your request notably if the processing of your personal data is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims.
- Restriction. You can ask us to restrict the processing of your personal data (i.e., keep but not use your personal data) where: the accuracy of your personal data is contested; the processing is unlawful, but you do not want it erased; it is still necessary to establish, exercise or defend legal claims; to verify the existence overriding grounds following the exercise of your right of objection. We can continue to use your personal data following a request for restriction, where: we have your consent; to establish, exercise or defend legal claims; or to protect the rights of another natural or legal person.
- Portability. You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it ‘ported’ directly to another data controller, but only where the processing is based on your consent or on the performance of a contract with you, and the processing is carried out by automated means.
- Digital legacy. You have the right to define (general or specific) directives regarding the fate of your personal data after your death.
- Objection to phone sollicitation. If you give your phone number but do not wish to receive commercial phone calls, you can register on the opt-out list “Bloctel”: www.bloctel.gouv.fr.
- Right to object to processing justified on legitimate interest grounds. Where we are relying upon legitimate interest to process personal data (see Section 2), then you have the right to object to that processing. If you object, we must stop that processing unless we can either demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or where we need to process the data for the establishment, exercise or defense of legal claims.
- Right to object to processing for marketing purposes. Where we process personal data for direct marketing purposes, then you have the right to object to that processing at any time.
You also have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes applicable law. In France, the supervisory authority for the protection of personal data is the CNIL (www.cnil.fr).
9. Contact and complaints
For further information regarding your rights, to exercise any of your rights, or if you have any complaints or questions regarding the processing of your personal data, please contact firstname.lastname@example.org
10. Changes to this Privacy Notice
We may occasionally change this Privacy Notice, for example, to comply with new requirements imposed by the applicable laws, technical requirements or good commercial practices. We will notify you in case of material changes.