DATA PROTECTION STATEMENT
smuttlewerk interactive UG (“smuttlewerk”/“we”) is committed to protecting the privacy of its users (“users”/“you”) with regard to the processing of personal data. smuttlewerk observes the applicable data protection requirements.
We have compiled this document to inform our users about the handling of their data. If you have any questions concerning the use of your personal data by smuttlewerk, or if you would like to revoke a previously granted declaration of consent, please get in touch with us and tell us about the game you play and your platform.
This Data Protection Statement applies to all services offered on the websites operated by smuttlewerk, in particular smuttlewerk.com, (“website”) and mobile applications, as well as the games offered for download via portals such as the Apple App Store and Google Play Store etc. (“games apps” or “apps”)
1. General information on data processing
1.1 Legal basis for the processing of personal data
Article 6 para. 1 lit. a of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data that was obtained with the consent of the data subject.
Article 6 para. 1 lit. b GDPR serves as the legal basis for the processing of personal data that is required for the performance of a contract to which the data subject is a party. This also applies to data processing operations that are necessary for the performance of pre-contractual measures.
In as far as the processing of personal data is required for compliance with a legal obligation incumbent on our company, the legal basis for data processing is Article 6 para. 1 lit. c GDPR.
In the event the vital interests of the data subject or another person compel us to process personal data, Article 6 para. 1 lit. d GDPR serves as the legal basis for such data processing.
Article 6 para. 1 lit. f GDPR serves as the legal basis if the data processing is necessary to safeguard a legitimate interest of our company or a third party in a situation where the interests, fundamental rights and fundamental freedoms of the data subject do not prevail over the legitimate interest of our company or a third party.
1.2 Deletion of data, storage period
We will delete or block a data subject’s personal data as soon as the purpose of storing the data has been achieved. Personal data can be stored for longer periods if prescribed by a European or national legislator in EU regulations, laws or other regulations that govern the data controller. The data is also blocked or deleted at the end of a retention period prescribed by one of the above regulations, unless the data is required to be stored for a longer period for the purpose of performing or entering into a contract.
1.3 Data security
We always try our best to put reasonable arrangements in place to prevent unauthorised access to your personal data, use of your personal data or manipulation of your personal data and to minimise the risk of these incidents occurring. The provision of personal data is, irrespective of whether disclosed in person, over the phone or via the internet, inevitably associated with certain risks and no technological system is absolutely fail-safe from being manipulated or sabotaged.
We process all information collected from you in accordance with the German and European data protection laws. All our employees are bound by data secrecy and the data protection regulations and have been instructed accordingly. When making a payment, your data will be transmitted using SSL-encryption technology.
2. Collection and use of personal data via the website and apps
2.1 Our website can be used by all users without requiring registration. We use no website analytics.
2.2 To improve the gaming experience for our users, smuttlewerk will collect information on the duration of use, the number of times the games app was launched, internet protocol, IP address, device type and operating system, data volume transferred, access status (file transfer, file not found etc), avatar name, download tag and game app version, as well as amounts/tokens you have invested in the game app's features. This data can be used to generate pseudonymised statistics that help smuttlewerk to make the apps and games even better for you, fix bugs and improve our services. The data is not used for any other purpose specifically related to the data subject. This data will be deleted as soon as there is no further need for their storage, the user has requested the data to be deleted, or a law prohibits the (continued) storage of the data. Data can only be deleted if the deletion is not opposed by a statutory retention obligation.
As a general rule, smuttlewerk will only collect and use the personal data specifically disclosed by the user, i.e. during his registration or login, for the user's enrolment in prize competitions or use of paid services. Personal data means data that contains information about personal or factual circumstances (e.g. name, address, date of birth, e-mail address).
The contractual use of the games apps requires the collection and processing of the user’s personal data by the stores smuttlewerk has no control over this type of data collection and does not accept any liability or responsibility. Detailed information about the data collected by Google Play and Apple App Store, Windows Store and other stores may be obtained from the data protection statement of the respective store. smuttlewerk processes this data to the extent it is provided by the stores and necessary for downloading the games app to the user's device, as well as for the operation of the games app. The data is not stored for any other purposes.
The user may be required to disclose additional data, such as his full name, address, etc., for purposes associated with the contractual use of the games app and the performance of the license agreement accepted by downloading the app, and in particular data associated with the use of paid services by the user (i.e. download of a paid app or in-game purchase). smuttlewerk does not collect and process any payment data (bank account numbers, credit card data, etc.).
- Google Play IDs and Game Center IDs can be saved to allow login from multiple devices.
- Legal basis for data processing
The legal basis for the temporary storage of data and log files is Article 6, para. 1 lit. f GDPR.
2.3 Data processing purpose
The temporary storage of a user's IP address by the system is necessary to deliver the services to the user’s computer. This requires the IP address to remain stored for the duration of the session.
The storage in log files serves the purpose of warranting the faultless functioning of the services. The data also assists us in optimising the website and to warrant the security of our computer systems. The data is not analysed for any marketing purposes, it is analysed exclusively for statistical purposes.
Our legitimate and prevailing interest in processing the data pursuant to Article 6 para. 1 lit. f GDPR is based on these purposes.
2.4 Period of storage
The data will be deleted as soon as it is no longer required for achieving the purpose of their collection. Where data is collected for the purpose of making the website available, this is the case when the respective session has ended.
Where data is stored in log files, this is the case after a maximum period of seven days. In certain other cases, your data may be stored for longer periods. If this is the case, the IP addresses of the users will be deleted or anonymised, with the result that the accessing client can no longer be identified.
3. Login via a third-party platform
3.1 By logging into the games via a third-party user account, such as the Facebook account or Google+ account or other social networks, the user declares his consent to the access to and/or storage of
- certain account and/or profile information held by such third-party provider or
- certain information stored in cookies downloaded to your device by a third-party platform.
3.3 The user may change his login settings at any time if he wishes to prevent such data from being exchanged with Facebook, Google or other social networks he has previously used to login into on our services.
4. Disclosure of the data to third parties; contract (data) processing
4.1 The user's personal data will be treated confidential and will generally only be disclosed to external service providers or contractors with the user’s express consent, or if disclosure is necessary to perform a contract, respond to inquiries or to provide customer support. smuttlewerk cooperates with providers who collect and compile statistical data, as well as with IT service providers (i.e. computer centres, hosting, back-up and database services). The user’s legitimate interests are given consideration in accordance with the statutory requirements. The external service providers are under a statutory obligation to treat the data confidential and securely and are only permitted to use the data to the extent necessary to perform their duties. In as far as external service companies perform contract data processing, the statutory requirements pertaining to contract (data) processing are observed.
4.2 In all other respects, personal data is only disclosed if required for the protection of other users, for the prosecution of criminal offences, or as permitted under the statutory data protection regulations. We may in certain cases be compelled to disclose the data on the basis of statutory requirements (i.e. disclosure to investigating authorities). Disclosure is always limited to the extent necessary, legally permitted or prescribed.
4.3 A declaration of consent to the disclosure of data previously granted to us may be revoked at any time and without stating reasons.
5. Modification and deletion
smuttlewerk can, at its own discretion or at the user's request, complete, correct or delete any personal data stored by smuttlewerk in relation to the operation of this website or the games app that is incomplete, incorrect or outdated.
smuttlewerk complies with the statutory requirements and deletes personal data immediately upon being requested to do so by the user, unless prevented from deleting the data by statutory retention obligations.
6. Links to other websites
Our website may from time to time contain interactive references (so-called links), for which smuttlewerk does not accept any responsibility. smuttlewerk has no control over the content and design of the linked external websites or internet services the user may access via our webpages. The respective operators of these internet services are exclusively responsible for their design, content and compliance with data protection requirements.
8. Push notifications
8.1 Description and scope of data processing
You can set the configurations of your device to permit us to send you push notifications for updates to games apps and other relevant information. You can manage your push settings in the “options” or “settings” menu of your mobile app, or in the settings of your device.
8.2 Legal basis for data processing
The legal basis for the processing of the data for the purposes of a contract is Article 6 para. 1 lit. b GDPR.
8.3 Period of storage
The data will be stored until you delete them.
8.4 Your right to object and contest a decision
For Apple mobile devices: Open the settings on your mobile device (e.g. iPhone or iPad), and select the menu item "Privacy". You can switch off ad tracking under the menu item "advertising".
For devices with Android operating systems: Open the settings in your app-list and tap the "Ad” button. Once the ad window has opened, you can disable the Google Advertising ID.
9. Protection of your data
We always try our best to put reasonable arrangements in place that are aimed at preventing unauthorised access to your personal data, use of your data or manipulation of your data and at minimising the risk of these incidents occurring. All our employees have been instructed with regard to their legal obligations to comply with data protection regulation and to maintain data secrecy. Our SSL transmission is certified by different official certificate authorities.
The provision of personal data, irrespective of whether disclosed in person, over the phone or via the internet, carries certain inevitable risks. No technological system is absolutely fail-safe from being manipulated or sabotaged. We would like to point out that there is always a residual risk of a transmission of data over the internet (i.e. communicating by email) being compromised. A fail-safe, guaranteed protection of the data against access by third parties is not possible.
10. Rights of the data subject (the person whose data is collected)
The processing of your personal data makes you a data subject for the purposes of the GDPR. As a data subject, you may assert the following rights against the data controller:
11.1 Right to information
You can request us to confirm whether we are processing any personal data relating to you.
If this is the case, you may request the data controller to provide you with the following information:
- the purposes for which your personal data is being processed;
- the categories of personal data being processed;
- the recipients or categories of recipients to whom your personal data has been or will be disclosed;
- the planned duration of the storage of your personal data or, if no specific information is available, the criteria for determining the duration of storage;
- the existence of a right to correction or deletion of your personal data, or a right to restrict the processing by the data controller, or a right to object against the processing of the data;
- the existence of a right to lodge a complaint with a supervisory authority;
- in the case the personal data is not collected from the data subject personally, all available information about the source of the data;
- the existence of an automated decision-making procedure including profiling pursuant to Article 22 paras. 1 and 4 GDPR and - at least where this is the case - meaningful information about the logical reasoning involved, as well as the magnitude and intended implications of such data processing for the data subject.
You have the right to request information on whether your personal data is transmitted to a third country or an international organization. You may in this respect demand to be informed about the adequate safeguards taken in relation to the transmission pursuant to Article 46 GDPR.
11.2 Right to correction
You have the right to demand from us to correct and/or complete any of your personal data that is incorrect or incomplete. We must correct or complete the data without undue delay.
11.3 Right to restrict the processing of data
You can demand the processing of your personal data to be restricted under the following conditions:
- if you contest the accuracy of your personal data and allow us adequate time to verify the accuracy of your personal data;
- If the data processing is unlawful and you decline the deletion of your personal data and rather demand the use of your personal data to be restricted;
- we no longer requires your personal data for the data processing purposes, but you require them for the purpose of asserting, exercising or defending your legal interests, or
- if you have objected against the processing of your personal data in accordance with Article 21 para. 1 GDPR and a decision on whether our legitimate interests prevail over your interests has not been made.
Where the processing of your personal data has been restricted, such data may - except for their storage - only be processed with your consent or for the purpose of asserting, exercising or defending legal interests, or to protect the legal interests of another person or legal entity, or for reasons of a substantial public interest of the European Union or a Member State.
If the data processing was restricted on the basis of the conditions stipulated above, you will be notified by us prior to lifting the restriction.
11.4 Right to the deletion of your data
You may at any time delete your account.
11.4.1 Mandatory deletion
You may instruct us to promptly delete your personal data. We are legally required to delete such data without undue delay, provided one of the following reasons apply:
- Your personal data is no longer required for the purposes they were collected or previously processed.
- You revoke your declaration of consent on which the data processing was based pursuant to Article 6 para. 1 lit. a or Article 9 para. 2 lit. a GDPR, and there is no other legal basis that would legitimate the data processing.
- You object against the data processing pursuant to Article 21 para. 1 GDPR and there are no prevailing legitimate reasons for the data processing, or you lodge an objection against the data processing pursuant to Article 21 para. 2 GDPR.
- The processing of your data was unlawful.
- The deletion of your personal data is necessary to perform a legal obligation under EU law or the law of a Member State governing the data controller.
- Your personal data was collected in relation to services offered by the information society pursuant to Article 8 para. 1 GDPR.
11.4.2 Notification of third parties
Where we have made your personal data publicly accessible and are required to delete your data under Article 17 para. 1 GDPR, we will, in consideration of the available technology and cost of implementation, take adequate measures, including technical measures, to inform any other data controllers who process such personal data about the circumstance that you as the data subject have requested them to delete all links to said personal data, copies or reproductions of such personal data.
You are not entitled to the deletion of your data to the extent the data processing is required
- for the purpose of exercising the right to freedom of expression and right to information;
- for the purpose of performing a legal obligation imposed on the data processing under EU law or the law of a Member States governing us, or to discharge of a function in the public interest or in the exercise of public authority conferred upon us;
- For reasons of public interest concerning public health pursuant to Art. 9 Section 2 lit. h and i, as well as Article 9 para. 3 GDPR;
- For archiving, scientific or historical research purposes in the public interest, or for statistical purposes pursuant to Article 89 para. 1 GDPR, to the extent the right provided for at section a) is expected to render the achievement of the purposes of this data processing infeasible or to significantly impede them, or
- for the purpose of asserting, exercising or defending legal interests.
12 Right to onward notification
Where you have asserted your right to the correction, deletion or restriction of the data processing against us, we are required to notify all recipients your personal data was disclosed to about said correction or deletion of the data, or restrictions imposed on their processing, unless such notification is infeasible or would entail unreasonable effort or expense.
You are entitled to be informed about these recipients by us.
13 Right to data portability
You have the right to receive the personal data disclosed by you to us in a structured, popular and machine-readable format. You further have the right to transfer such data to other data controllers without interference by the data controller said personal data was initially made available to, provided
- the data processing is based on a declaration of consent pursuant to Article 6 para. 1 lit. a or Article 9 para. 2 lit. a GDPR, or on a contract pursuant to Article 6 para. 1 lit. b GDPR, and
- the data processing is conducted by way of automated processes.
When you exercise this right, you are further entitled to your personal data being transferred directly from one data controller to another data controller, subject to technical feasibility. This must not curtail the freedoms and rights of third parties.
The right to data portability does not apply to the processing of personal data that is required for the performance of a function in the public interest or in the exercise of public authority conferred upon the data controller.
14 Right to object
You have the right to lodge an objection against the processing of your personal data conducted on the basis of Article 6 para. 1 lit. e or f GDPR at any time for reasons that are attributable to your personal circumstances. This also applies to profiling based on the same provisions.
We will then cease processing your personal data, unless he can demonstrate compelling legitimate interests for the data processing that prevail over your interests, rights and freedoms, or unless the data processing serves the purpose of asserting, exercising or defending legal interests.
Where your personal data is processed for direct advertising purposes, you have the right to lodge an objection against the processing of your personal data for such advertising purposes at any time; this also applies to profiling associated with such direct advertising.
If you lodge an objection against data processing for direct advertising purposes, your personal data will no longer be processed for these purposes.
When using services of the information society, you have the option to exercise your right to object via automated processes that use technical specifications, irrespective of the Directive 2002/58/EC.
15 Right to revoke data protection-related declarations of consent
You have the right to revoke a previously granted declaration of consent at any time. A revocation of consent is without prejudice to the lawfulness of the data processing conducted prior to your revocation.
16 Automated individual decision-making
You have the right not to be subjected to a decision based solely on automated processing, including profiling, which would produce legal effects concerning you or would significantly affect you in a similar way. This does not apply if the decision
- is required for the conclusion or performance of a contract between you and us,
- is authorised by a EU or Member State law governing us and such law provides for adequate safeguards for your rights, freedoms and legitimate interests, or
- is based on your explicit consent.
These decisions may however not be made on the basis of personal data of special categories pursuant to Article 9 para. 1 GDPR, unless Article 9 para. 2 lit. a or g applies and adequate safeguards for your rights, freedoms and legitimate interests have been put in place.
In the cases referred to at (1) and (3), we take adequate measures to safeguard your rights, freedoms and legitimate interests, which at the minimum includes the right to obtain intervention of a person on the part of the data controller, the right to express your own opinion and the right to contest the decision.
18 Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy that may be available to you, you have the right to lodge a complaint with a supervisory authority, in particular an authority in the Member State of your residence, your place of work or the place of the alleged infringement if you have reason to believe that your personal data is processed in violation of the GDPR.
The supervisory authority where the complaint was lodged will inform the complainant about the progress and results of the complaint, as well as the option to seek relief from a court of law pursuant to Article 78 GDPR.
Last Update 06.06.2018