(02-12-2020, 09:05 PM)Alley Wrote: I would highly recommend you read Article 2 of GDPR. It does not solely apply to legal entities. Discovery is not in any of the exclusion cases and certainly not 2.2c.
As far as I have been able to ascertain based on my own research into GDPR: Unless you are a legal person or entity selling goods and services to people in the EU ("engaged in economic activity"), and as long as you are only processing data that can be reasonably justified as required to run your service. Then your website falls under the exemption granted by personal or household activity, and the data you are collecting is considered to be within your "legitimate interest".
If we made Discovery pay to play or if we started tracking information about you to sell to third parties, then we'd be liable.
I am curious as to why the statement Laz quoted about making Discovery GDPR compliant was made in the first place though. I wasn't even around then, so I don't know the story behind it.
Edit: Even in the case of pay to play, applying GDPR would be a stretch due to legitimate interests.
To begin with, I'd like to point out this thread was never about arguing on the semantics of GDPR. That's something major companies themselves still have not managed to settle on and is not really worth worrying about for an obscure gaming community.
One of the reasons the project was started was to provide more transparency to the users regarding the collection and use of their data (esp personally identifiable), which is plentiful on discovery when you include the multiplayer server. It's a simple thing but immensely respectful toward the user. It's seemingly something the dev team equally understood and were willing to implement and that's what I'm asking about here.
Regardless of looking to be fully GDPR compliant (which is an unrealistic goal), there are core concepts in GDPR that are really not that hard to implement and require no particular skills aside of the ability to write sentences.