Xbox Network Services data processing addendum for PC and mobile games

  • Article

This Xbox Network Services Data Processing Addendum for PC and Mobile Games (the "Addendum") is part of the App Developer Agreement (the "ADA") between you and Microsoft, and governs the Processing of Personal Data made available to you through your PC and mobile Apps that incorporate Xbox Network Services. In the event of any conflict between the terms of the ADA and the terms of this Addendum, the terms of this Addendum shall control.

1. Definitions. Capitalized terms used in this Addendum have the definition provided in the ADA or this Addendum.

1.1 "Data Exporter" means the party that (1) has a corporate presence or other stable arrangement in a jurisdiction that requires an International Data Transfer Mechanism; and (2) transfers Personal Data, or makes Personal Data available to, the Data Importer.

1.2 "Data Importer" means the party that (1) is located in a jurisdiction that is not the same as the Data Exporter's jurisdiction; and (2) receives Personal Data from the Data Exporter or is able to access Personal Data made available by the Data Exporter.

1.3 "Data Protection Law" means any law, rule, regulation, decree, statute, or other enactment, order, mandate or resolution, applicable to you or Microsoft, relating to data security, protection, Processing and/or privacy, and any implementing, derivative or related legislation, rule, regulation, and regulatory guidance, as amended, extended, repealed and replaced, or re-enacted.

1.4 "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") and any other data or information that constitutes personal data or personal information under any applicable Data Protection Law.

2. Data Protection Law Compliance. With respect to the Personal Data transferred under the ADA and this Addendum, the parties agree that both you and Microsoft are independent data Controllers, and not joint Controllers, as defined in the General Data Protection Regulation (GDPR), of the Personal Data that each independently Processes. As used in this Addendum, "Controller" means the entity that determines the purpose and means of Processing of Personal Data, and "Process" or "Processing" means any operation or set of operations that a party performs on Personal Data, including collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, restriction, erasure or destruction. "Processed" will have a corresponding meaning. As independent Controllers of Personal Data, the parties agree as follows:

2.1 General. Each party is independently responsible for compliance and will comply with Data Protection Law (e.g., obligations of Controllers), including without limitation providing notice to Data Subjects as required by Data Protection Laws (e.g., GDPR Articles 13 and 14, as applicable), responding as required by Data Protection Laws (e.g., Chapter III of GDPR) to Data Subjects' requests to exercise their rights, and identifying a lawful basis of Processing (e.g., consent or legitimate interest).

2.2 Cooperation. If either party receives any type of request or inquiry from a governmental, legislative, judicial, law enforcement, or regulatory authority (e.g., the Federal Trade Commission, the Attorney General of a U.S. state, or a European data protection authority), or faces an actual or potential claim, inquiry, or complaint in connection with the parties' Processing of Personal Data shared under the ADA and this Addendum (collectively, an "Inquiry"), such party will notify the other party without undue delay unless such notification is prohibited by applicable law. The receiving party will promptly provide the other party with information relevant to the Inquiry, including any information relevant to the defense of a claim, to enable such party to respond to the Inquiry. Upon request, a party will provide relevant information to the other party to fulfill its obligations (if any) to conduct data protection impact assessments or prior consultations with data protection authorities.

2.3 Data Security. You must ensure your network, operating system, software, databases, and other relevant computer systems are properly built, configured, and operated to store, manage and protect any Personal Data received or obtained from Microsoft in a secure manner and in compliance with all requirements related thereto contained in the Xbox Requirements ("XRs"). Each party will take all measures required in accordance with good industry practice and by Data Protection Law relating to data security (including pursuant to Article 32 of the GDPR).

2.4 Confidentiality. Each party will ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality obligations no less protective than those set forth in the NDA or under an appropriate statutory obligation of confidentiality.

2.5 Prohibition on Sale of Personal Data. Subject to a Customer's additional authorization or instructions to the contrary, you will (i) only use Personal Data in connection with the provision of games and game-related services, and (ii) not transfer, Share or Sell the Personal Data to any third party except to contractually bound Processors or sub-processors operating on your behalf (where "Share" and "Sell" are defined by the California Consumer Privacy Act or other applicable Data Protection Law). Where Microsoft transfers data that is considered deidentified data under applicable Data Protection Law, you will not (and will ensure that your sub-processors will not) attempt to reidentify the data such that it would become Personal Data. To the extent the California Consumer Privacy Act applies to any Personal Data, you certify that you understand the above restrictions and will comply with them. You will notify Microsoft if you determine that you can no longer meet your obligations under applicable Data Protection Law.

2.6 You will comply with Microsoft's instructions on receiving Data Subject rights requests from Customers and other reasonable requirements governing the use of Personal Data as set forth in the ADA.

2.7 You will comply with Microsoft's request to conduct a compliance review of your adherence to and/or execution of privacy obligations under the terms of this Addendum and as required by applicable laws. Microsoft may request such review once per calendar year or upon Customer complaint. Except in cases of a Customer complaint, you may submit an attestation of compliance in lieu of participating in a compliance review.

2.8 Upon termination of the ADA for cause, an adverse compliance review finding that you are mishandling data, or upon commencement of an Inquiry, you will, at Microsoft's request, immediately delete or return to Microsoft all copies of Personal Data shared under the ADA and this Addendum except to the extent you have the right or obligation under applicable Data Protection Law to retain Personal Data after termination. If requested by Microsoft, you shall confirm deletion in writing within thirty (30) days.

2.9 International Personal Data Transfer Requirements. Some jurisdictions require that an entity transferring Personal Data to a recipient in another jurisdiction take extra measures to ensure that the Personal Data has special protections if the law of the recipient's jurisdiction does not protect Personal Data in a manner equivalent to the transferring entity's jurisdiction (an "International Data Transfer Mechanism"). The parties will comply with any International Data Transfer Mechanism that may be required by applicable Data Protection Law, including the Standard Contractual Clauses. "Standard Contractual Clauses" means the European Union standard contractual clauses for international transfers from the European Economic Area to third countries, Commission Implementing Decision (EU) 2021/914 of 4 June 2021. The parties further agree as follows:

2.9.1 If the International Data Transfer Mechanism on which the parties rely is invalidated or superseded, the parties will work together in good faith to find a suitable alternative.

2.9.2 With respect to Personal Data of Data Subjects located in a jurisdiction that requires an International Data Transfer Mechanism, (e.g., the EEA, Switzerland, or the United Kingdom) that Microsoft transfers to you or permits you to access, the parties agree that by executing this Addendum they also execute the Standard Contractual Clauses, which will be incorporated by reference and form an integral part of this Addendum. The parties agree that, with respect to the elements of the Standard Contractual Clauses that require the parties' input, Schedule 1 contains information relevant to the Standard Contractual Clauses' Annexes. The parties agree that, for Personal Data of Data Subjects in the United Kingdom, Switzerland, or another country specified in Schedule 1, they adopt the modifications to the Standard Contractual Clauses listed in Schedule 1 to adapt the Standard Contractual Clauses to local law, as applicable.

2.10 Schedule 1. Schedule 1 describes the purposes of the parties' Processing, the types or categories of Personal Data involved in the Processing, the categories of Data Subjects affected by the Processing, and the parties' statuses under relevant Data Protection Law.

SCHEDULE 1 — DESCRIPTION OF THE PROCESSING

Processing Activity Status of the Parties Categories of Personal Data that May Be Processed Categories of Sensitive Data that May Be Processed Applicable SCCs Module
You collect or receive Personal Data as a Controller. Microsoft is a Controller.

You are a Controller.
  • Xbox User Identification (XUID)
  • Location data
  • IP address
  • Device preferences and personalization
  • Service usage for websites, webpage click tracking
  • Social media data and social graph relationships
  • Activity data from connected devices such as fitness monitors
  • Contact data such as name, address, phone number, email address, date of birth, dependent, and emergency contacts
  • Fraud and risk assessment, background check
  • Metadata and telemetry
  • Xbox Live, OneDrive Consumer
  • Customer originated support ticket
  • Billing data
  • E-commerce data
  • Event registration
  • Training
  • Globally Unique Identified (GUID)
  • Passport User ID or Unique Identifier (PUID)
  • Hashed End-User Identifiable Information (EUII)-Session IDs
  • Device IDs
  • Diagnostic Data
  • Log Data
  • Crash Dump Data
  • Data related to the age of the Customer
  • Data related to children
 Module 1

NOTE: The categories listed are descriptive and do not necessarily mean that the parties are Processing each category of data listed.

1. Information for International Transfers:

1.1 Frequency of Transfer: Continuous for all Personal Data.

1.2 Retention Periods: As Controllers, the parties retain Personal Data for as long as they have a business purpose for it or for the longest time allowable by applicable law.

2. For the purpose of the Standard Contractual Clauses:

2.1 Clause 7: The parties do not adopt the optional docking clause.

2.2 Clause 11(a): The parties do not select the independent dispute resolution option.

2.3 Clause 17: The parties select Option 1. The parties agree that the governing jurisdiction is Ireland.

2.4 Clause 18: The parties agree that the forum is Ireland.

2.5 Annex I(A): The data exporter is the Data Exporter (defined above) and the data importer is the Data Importer (defined above).

2.6 Annex I(B): The parties agree that Schedule 1 describes the transfer.

2.7 Annex I(C): The competent supervisory authority is the Irish Data Protection Commission.

2.8 Annex II: The parties agree that this Schedule 1, Section 4, describes the technical and organizational measures applicable to the transfer.

3. For the purpose of localizing the Standard Contractual Clauses:

3.1 Switzerland

3.1.1 The parties adopt the GDPR standard for all data transfers.

3.1.2 Clause 13 and Annex I(C): The competent authorities under Clause 13, and in Annex I(C), are the Federal Data Protection and Information Commissioner and, concurrently, the EEA member state authority identified above.

3.1.3 Clause 17: The parties agree that the governing jurisdiction is Ireland.

3.1.4 Clause 18: The parties agree that the forum is Ireland. The parties agree to interpret the Standard Contractual Clauses so that Data Subjects in Switzerland are able to sue for their rights in Switzerland in accordance with Clause 18(c).

3.1.5 The parties agree to interpret the Standard Contractual Clauses so that "Data Subjects" includes information about Swiss legal entities until the revised Federal Act on Data Protection becomes operative.

3.2 United Kingdom

3.2.1 The parties agree that the Standard Contractual Clauses are deemed amended to the extent necessary that they operate for transfers from the United Kingdom to a Third Country and provide appropriate safeguards for transfers according to Article 46 of the United Kingdom General Data Protection Regulation ("UK GDPR"). Such amendments include changing references to the GDPR to the UK GDPR and changing references to EU Member States to the United Kingdom.

3.2.2 Clause 17: The parties agree that the governing jurisdiction is the United Kingdom.

3.2.3 Clause 18: The parties agree that the forum is the courts of England and Wales. The parties agree that Data Subjects may bring legal proceedings against either party in the courts of any country in the United Kingdom.

3.2.4 Transfers from the United Kingdom shall be governed by the IDTA implemented by Microsoft. For purposes of the Agreement, the "IDTA" means the international data transfer addendum to the European Commission's standard contractual clauses for international data transfers issued by the UK Information Commissioner's Office under S119A(1) of the UK Data Protection Act 2018.

4. Technical and Organizational Security Measures. You will comply with the technical and organizational measures as set out in Section 2.3 of the Addendum.