Points wise, this is no different than just not submitting that player. After all, a player needs to play in 5 matches (and contribute $5) before adding anything to the points.
That is true for North America only I believe.
The contribution part, yes, is for North America, but the 5 tournaments before that player contributes is a worldwide rule as dictated when it was introduced in 2015:
“Only Rated players will be included in the player count with respect to base value. A player becomes Rated after participating in 5 events lifetime. These unrated players will still be able to earn WPPR points, and impact the distribution of the points from a tournament, but they simply won’t be counted towards the 1/2 point per player count for the base. This is to limit the impact of organizers trying to sign up random participants, or worse, list fake names of players that did not participate as a way to artificially increase the base value of the tournament.”
This seems like an impossible nightmare in a world where nearly everything is digital and online.
How strict is the clause “identified or identifiable natural person?” If there was a generic user record with absolutely zero personal information on it, is that ok? If someone concludes a 30-hour deep dive into the past 4 years of tournament results and cross references tournaments with scrubbed results and finds only one person that fits all the possibilities, is that considered an identifiable natural person?
Frankly, I don’t like the idea of having to delete the data at all. If a person doesn’t want to be listed, then that’s fine. Forcing IFPA to pretend the person never played in the first place seems wrong. There should be no problem with keeping a tournament result.
What makes it more confusing is that it only covers data that is accumulated about that person when it occurs in the EU. So if someone from a EU country plays in Pinburgh, GDPR rules do not apply, but IFPA WC in Germany, it would.
I’m hoping to run our situation by one of GDPR experts (my company products software that covers GDPR) and see what they feel we need to be worried about.
It’s definitely forcing folks to think differently about the data they handle if they want to engage with Europeans – and I’m fairly sure that was the intent behind the legislation. Over the last few years we’ve rapidly given up a ton of privacy as a society, so personally I’m happy to see a shift in favor of privacy, even if it means my day job suddenly becomes a complete pain in the ass.
You might check your sources on that. We’ve been operating with the understanding that the GDPR is applicable to European residents even when abroad. Obviously if you aren’t actively marketing to Europeans, and aren’t otherwise engaged in business in Europe, opportunities for enforcement are going to be limited, but I’ve been told this is going to be an interesting aspect to watch when it finally is tested.
In short, this is what you should do to become “GDPR compliant enough”:
- Document (internally) what personal data you store or process, why you have it, and where it is stored.
- Have procedures in place to ensure that you can handle complaints within 30 days. The most likely requests are: “What do you have on me?”, “Remove what you have on me.” and “You’ve got some wrong info on me - please fix.”. In the case of removal, well-implemented anonymisation should be good enough.
A few notes:
- Personal information - as mentioned by others - is anything which can be used to identify a person. It is specified that the possibility of indirect identification can in some cases be enough to classify data as personally identifiable. For example, in a web server access log, the IP address can be deemed personal information if you have legal means of obtaining from ISPs a link between an IP address and a person.
- You need to handle complaints, but you need not blindly comply. For example if implementing a request has a large impact on other people’s privacy rights.
- You may need to have a way to contact people to inform of data breaches possibly involving their data. If all info you store is publicly available already, you’re unlikely to have data breaches which are deemed serious enough to warrant contacting players, though.
(Edit: IANAL, but currently involved in GDPR work in an international tech company. Hopefully I’m not too wrong above, otherwise we’re also in trouble. )
Honestly, it seems like the easiest solution would be for the player in question to submit under a pseudonym (option 2); they could rest easily knowing that any sort of programming error doesn’t unintentionally “unsuppress” them. Would make it harder to change it around if they want to reverse their decision, but at the same time they should know the risk when asking for suppression.
I think the more people brought into the process (i.e. option 3), the less valuable an attempt at suppressing one’s score(s) will be, since I’m gathering the person wants as few folks to know as possible.
But these are just my thoughts with extreme ignorance of IFPA processes and score tracking infrastructure.
Personally I think I’ll go down the route of stating on all advertisement for any tournaments I run, and at time of registration, that results will be submitted to the IFPA. If a player chooses to suppress themselves - that’s their choice and I’ll let them know how they do that. If they don’t want their results submitting at all - they will be told they cannot enter the comp at all.
It’s then their choice how they wish to proceed
For those of you with nothing better to do.
What are the lawful bases for processing?
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
© Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
I would argue that a), e) & f) could all apply, however f) is the best fit based on
This can be broken down into a three-part test:
1.Purpose test: are you pursuing a legitimate interest?
2.Necessity test: is the processing necessary for that purpose?
3.Balancing test: do the individual’s interests override the legitimate interest?
A wide range of interests may be legitimate interests. They can be your own interests or the interests of third parties, and commercial interests as well as wider societal benefits. They may be compelling or trivial, but trivial interests may be more easily overridden in the balancing test.
- is a ranking system (for which the person’s tournament history is required) a legitimate interest?
- is the processing necessary? Without the players tournament history, from name and IFPA number it would be impossible.
3.No. If they don’t want their name and tournament history recording - they have the choice not to enter the tournament.
Don’t fundamentally disagree with anything you’ve put there Wayne… But as I said earlier, there is a way to anonymise the user’s name and still allow ranking results to be calculated. That is done by running the name through a one way hash
This is something the IFPA guys would have to perform, so that real names are submitted on the results sheet, but each real name is then hashed and compared against a ‘suppressed player’ table (which also stores the hash, linked to a player number). This allows results to be calculated whilst still anonymising the actual player name in the database. Also allows the possibility of de-anonymising the player at some later point (on request by that player, and which could only be done by matching on the hashed name)
It’s difficult to go into the technical fiddly bits without knowing how the IFPA guys structure their data, but I’d suggest hashing the names of suppressed players would be a solution. Hashing is a fairly simple process for any competent programmer, and I’d be happy to provide pointers if required.
And for other aspects of GDPR I think @Omo pretty much nailed it. Given that the names are public (for all but suppressed players) compliance would probably just be a case of encrypting the email addresses that are stored, and not distributing them to third parties without approval first (which is a change to how IFPA sponsors currently have access to everyone’s email address)
This is a good point. I believe IFPA is currently in violation of the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) because it doesn’t give us the option to opt out of having our email address shared with third parties for marketing purposes.
Clause 4.33 of Schedule 1 reads: “An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.”
I would argue that requiring an email address to be eligible for IFPA Championship events is not legitimate. (Then again, IANAL.)
Regardless, even though I can probably count on one hand the number of marketing emails I’ve received from IFPA sharing my email address, it would be nice to have the option to opt out.
I don’t see how you would argue that.
Participation in IFPA Championship events is not a basic human right, we don’t charge you anything if you don’t participate and you are freely open to not provide an email and not participate.
In lieu of not providing an email address in order to be eligible for these services, we have an alternative option for players to pay for these services at a price of $10,000 per year. This will allow a player access to all the IFPA services without the need to provide us their email address.
I think @PressStart and I can live with that alternative
It’s not a basic human right, but it also has nothing to do with whether I have an email address or not.
If you say that an email address is required in order to be able to communicate about the IFPA Championship events, fine, then use it for that. That would be a legitimate use. The point I’m objecting to is having it shared for marketing purposes.
I know it makes the administration more difficult to allow people to opt out and it’s more attractive for sponsors to have access to a large pool of email addresses, so I completely understand why it has been set up this way, but I still think it’s in contravention of PIPEDA. However, I have no intention of filing a complaint with the Office of the Privacy Commissioner.
Do we make the cheque payable directly to you, @pinwizj?
Amanda Sharpe . . . we ALL win if that money goes to her
Is this even relevant tho? because your interaction with ifpa for tournaments isn’t commercial activity. The law is scoped to what organizations it applies too
Hmmm, good point. “Commercial activity” isn’t very well defined. My understanding, though, is that it’s pretty broad-reaching.
The Interpretation Bulletion: Commercial Activity doesn’t shed much light on an organization like IFPA.
It highlights the relevant statutory provisions as being:
Subsection 2(1) of PIPEDA states that “commercial activity” means “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”
Paragraph 4(1)(a) of PIPEDA provides that PIPEDA applies to every organization in respect of personal information that the organization “collects, uses or discloses in the course of commercial activities.”
Given that the IFPA collects $1 per player for each sanctioned tournament in North America, it awards prizes as part of the Championship Series, and it makes the email addresses of its registered players available to sponsors, wouldn’t that qualify as “commercial activity” as defined above?
It’s not a position I plan to defend vehemently. I just feel that the spirit of the legislation is to limit the forced disclosure of personal information and to restrict its use to what’s relevant to deliver a service.
This is supported by the stated purpose:
3 The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
We can probably discuss to death what’s appropriate and reasonable. My personal opinion is that disclosing my email address to sponsors for marketing purposes is unnecessary for the provision of the IFPA Championship Series and therefore I should have the ability to opt out. Maybe it’s legal, maybe it isn’t, but either way I find it unsavoury.
I think it’s a clash of privacy cultures. There seems to be a “what does it matter?” camp and one that wishes to retain as much privacy as possible. I happen to fall in the latter…even though I know it’s all an illusion and nothing is really private anymore.
Maybe (hopefully) things are different in Canada, but in the States, intent never matters, and all it takes is one tricky lawyer to twist the actual letter of the law, and suddenly a bill has a different application. Without having done much research, I’d think it’s easy to say ‘the IFPA isn’t a for-profit business, therefore we don’t have any commercial activity’. Or something along those lines. Sure, a sponsor gets emails of participants, but if they didn’t actually pay for them specifically, is it really a commercial transaction? I don’t know. Call it a cop-out, call it morally irresponsible, call it corporate greed, whatever, I think it’s the reality of running a global organization. Easier to argue why the law doesn’t apply to you than to change to abide by a law.
And on a slightly different note, I have to ask a question to those who would rather compete without having to have an email on file. All of the state championships I’ve looked into have streams and video recordings for this past year. Why is having an email address on file for a small group of people (sponsors) a problem but your face and name being displayed to a (potentially) wide audience not? It seems like if privacy were really of importance, that would be a far bigger issue, isn’t it? Am I missing an obvious difference here?
Second question, has anyone actually gotten an email from any of these sponsors? Is that a thing that happens to the elite players but the lower ranks (like me) don’t get them? I’m sure I’ll get a whole bunch of people saying ‘it’s the principle that matters!’ Which is true, but I’m still curious.