In order to optimise players' performance and game behaviour, it is already common practice in physical sports to process performance data generated during training. This phenomenon is also evident in the field of e-sports, where it is particularly easy to collect and process extensive performance data as the performance is rendered digitally. We explain below whether the processing of this performance data is legally permissible and why there are different permissions for different types of processed data.
What data is processed?
A multitude of data is collected during e-sports training. On the one hand, the game itself can be recorded. This also includes communication within the team. Eye-tracking can also be used to record and analyse e-sports players' field of perception and their focus on what is happening on the screen. In addition, click speed and input behaviour are often recorded. Body sensors can also be used to enable the collection of vital data (e.g. heart rate). The purpose of collecting this data is to assign it to the specific e-sports player in order to optimally control their training needs and progress. This data is therefore personal data within the meaning of Art. 4 No. 1 GDPR. If vital data is collected, this is even subject to the special protection of Art. 9 (1) GDPR as health data.
Which legal bases enable data processing?
The processing of personal data is generally prohibited subject to the reservation of permission. The processing outlined here can primarily be based on the permission criteria of Art. 6 (1) GDPR as far as "normal" performance data is concerned, and on Art. 9 (2) GDPR with regard to particularly sensitive vital data. In addition, the provisions of the German Federal Data Protection Act [Bundesdatenschutzgesetz, "BDSG"] also have to be observed if an e-sports player is classified as an employee in a specific individual case (there are already sufficient publications on this topic, for example, see Schlotthauer in: Maties, StichwortKommentar eSport-Recht, eSportler, Arbeitnehmereigenschaft).
- With regard to "normal performance data", a processing can be justified either via Art. 6 (1) (b) GDPR or via Art. 6 (1) (f) GDPR. In order to justify a processing via Art. 6 (1) (b) GDPR, the "necessity" of processing the data for the performance of the contract is decisive. The assumption of such necessity can be justified if the obligation to train and analyse is classified as being one of the core contractual obligations of the contract between the e-sports player and the clan/organisation. In all events, one can regularly assume overriding legitimate interests of the clan/organisation, since the processing of this performance data is necessary for purposes of targeted performance and training control. The processing can therefore definitely be based on Art. 6 (1) (f) GDPR.
- The processing of vital data, i.e. "special performance data", however, is subject to stricter requirements. The grounds for justification in Art. 9 (2) GDPR do not contain any regulations comparable to Art. 6 (1) (b) and (f). One possibility would be to revert to the consent criterion (Art. 9 (2) (a) GDPR), although it is extremely questionable whether the characteristic of the "voluntariness" of the consent is fulfilled here, especially if an e-sports player is classified as an employee and with the resulting superiority/subordination relationship.
- The processing of vital data can also conceivably be based on Sec. 26 (3) BDSG (in conjunction with Article 88 GDPR). The prerequisite in this case is that the processing is required to exercise rights or fulfil legal obligations under labour law, social security law and social protection law. Whether such processing on the basis of the "employment contract" constitutes compliance with a legal obligation under labour law has not yet been conclusively clarified. This poses the risk of data processing without legal grounds.
Reverting back to the initial question: the processing of normal performance data in connection with e-sports training has sufficient legal bases in the law. If vital data or particularly sensitive data within the meaning of Article 9 (1) GDPR additionally are to be processed, consent will probably have to be obtained. In this case, it must be ensured that consent is given voluntarily. In principle, this can be achieved by making the additional collection of consent optional and by not threatening disadvantages to e-sports players who refuse to give their consent.
In all other respects, the general obligations under data protection law must be observed when collecting performance data. This means, in particular, that e-sports players need to be duly informed about the processing operations and the performance data must be deleted immediately once the processing purpose no longer exists.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.