Riot transfers your personal data to other countries, including the US, and uses Standard Contractual Clauses (SCCs) as the legal mechanism to authorize transfers out of the EU.
This analysis describes what Riot Games's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The clause establishes the operational framework under which personal data moves across jurisdictions with varying legal regimes. Standard Contractual Clauses serve as the contractual mechanism enabling lawful international data flows while imposing consistent protection obligations on receiving entities.
Interpretive note: The notice references SCCs as the transfer mechanism but does not confirm whether Transfer Impact Assessments have been conducted, which is a requirement in some circumstances under EDPB guidance following Schrems II.
Riot Games has restructured how it presents information about data collection and use in its privacy notice. The company narrowed its third-party disclaimer by removing the phrase 'we don't own or control,' replacing it with 'we don't control'—a distinction that may affect which entities the company is claiming it has no privacy responsibility for. For California residents, the notice now consolidates information about categories of personal information and their purposes into a single section rather than splitting them across the document. The practical implication depends on how Riot Games operationally interprets 'control' in relation to its business relationships and how California regulators view this language under CCPA notice requirements.
View change record →Your personal data may be processed in countries with weaker data protection laws than your own. EU users should be aware that while Riot uses SCCs as a transfer mechanism, the practical protections available in destination countries may differ from EU standards.
How other platforms handle this
Tabnine is headquartered in the United States and operates globally. If you are located outside the United States, your personal data may be transferred to and processed in the United States or other countries that may not provide the same level of data protection as your home country. We rely on ap...
Pinterest, Inc. is based in the US. If you live outside the US, your information will be transferred to and processed in the US and other countries where our partners, service providers, and affiliates operate. We use approved data transfer mechanisms, including standard contractual clauses, to ensu...
If you are a resident in the EEA, Switzerland or the UK, then these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country. We may transfer Personal Information from the EEA, Switzerland or the UK to the U.S. and other third countries ...
Monitoring
Riot Games has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Your personal data may be transferred to and processed in countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country. We have taken appropriate safeguards to require that your personal data will remain protected in accordance with this Privacy Notice. These safeguards include implementing the European Commission's Standard Contractual Clauses for transfers of personal data between Riot entities and to our third-party service providers and partners.— Excerpt from Riot Games's Riot Games Privacy Notice
REGULATORY LANDSCAPE: GDPR Chapter V governs international transfers of personal data from the EU/EEA. Standard Contractual Clauses (SCCs), updated by the European Commission in 2021, are a recognized transfer mechanism. The Court of Justice of the EU's Schrems II ruling (Case C-311/18) established that SCCs alone may be insufficient without a Transfer Impact Assessment (TIA) in certain circumstances. The EU-US Data Privacy Framework (DPF) established in 2023 provides an additional mechanism for transfers to certified US entities. UK GDPR requires separate transfer mechanisms under the UK's International Data Transfer Agreement (IDTA). GOVERNANCE EXPOSURE: Medium. Riot's use of SCCs represents standard industry practice for EU-to-US transfers. The notice does not detail whether Transfer Impact Assessments have been conducted, which EDPB guidance indicates may be required depending on the destination country and the nature of data transferred. The absence of a specific reference to DPF certification or UK IDTA compliance may warrant follow-up. JURISDICTION FLAGS: EU/EEA users have the strongest interest in assessing the adequacy of transfer safeguards. UK users are subject to a separate post-Brexit transfer regime. Brazilian users under LGPD have transfer rights that should be addressed. Users in countries without adequacy decisions face the greatest practical gap between stated and actual protections. CONTRACT AND VENDOR IMPLICATIONS: B2B customers whose employee data flows through Riot services should confirm that the applicable SCCs or alternative transfer mechanisms are properly executed and that TIAs have been conducted where required. The adequacy of sub-processor transfer chains should be assessed, particularly given the breadth of the third-party ecosystem referenced in the notice. COMPLIANCE CONSIDERATIONS: Legal teams should request documentation of Riot's executed SCCs and any available TIAs. UK compliance teams should verify whether Riot has implemented UK IDTA mechanisms separately from EU SCCs. The notice should be reviewed for consistency with EDPB recommendations on supplementary measures for international transfers.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The clause establishes the operational framework under which personal data moves across jurisdictions with varying legal regimes. Standard Contractual Clauses serve as the contractual mechanism enabling lawful international data flows while imposing consistent protection obligations on receiving entities.
Your personal data may be processed in countries with weaker data protection laws than your own. EU users should be aware that while Riot uses SCCs as a transfer mechanism, the practical protections available in destination countries may differ from EU standards.
ConductAtlas has identified this type of provision across 47 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Riot Games.