Riot Games · Riot Games Privacy Notice · View original document ↗

International Data Transfers

Medium severity Medium confidence Explicitdocumentlanguage Common · 54 of 343 platforms
Share 𝕏 Share in Share 🔒 PDF
Monitor governance changes for Riot Games Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

Riot transfers your personal data to other countries, including the US, and uses Standard Contractual Clauses (SCCs) as the legal mechanism to authorize transfers out of the EU.

This analysis describes what Riot Games's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

Data transferred internationally may be subject to different legal protections. The use of SCCs is a recognized GDPR transfer mechanism, but transfers to the US remain subject to ongoing legal scrutiny following the Schrems II ruling and evolving EU-US data privacy framework developments.

Interpretive note: The notice references SCCs as the transfer mechanism but does not confirm whether Transfer Impact Assessments have been conducted, which is a requirement in some circumstances under EDPB guidance following Schrems II.

Recent Activity

This document changed recently

Medium Apr 14, 2026

Riot Games has restructured how it presents information about data collection and use in its privacy notice. The company narrowed its third-party disclaimer by removing the phrase 'we don't own or control,' replacing it with 'we don't control'—a distinction that may affect which entities the company is claiming it has no privacy responsibility for. For California residents, the notice now consolidates information about categories of personal information and their purposes into a single section rather than splitting them across the document. The practical implication depends on how Riot Games operationally interprets 'control' in relation to its business relationships and how California regulators view this language under CCPA notice requirements.

View change record →

Clause Stability Stable

0
Changes
3
Months Monitored
Apr 3, 2026
First Seen
May 22, 2026
Last Seen
This clause type exists across 3350 other provisions on other platforms.

Consumer impact (what this means for users)

Your personal data may be processed in countries with weaker data protection laws than your own. EU users should be aware that while Riot uses SCCs as a transfer mechanism, the practical protections available in destination countries may differ from EU standards.

How other platforms handle this

Ledger Medium

At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.

Medium Medium

Your personal information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction.

Grindr Medium

Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.

See all platforms with this clause type →

Monitoring

Riot Games has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
Your personal data may be transferred to and processed in countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country. We have taken appropriate safeguards to require that your personal data will remain protected in accordance with this Privacy Notice. These safeguards include implementing the European Commission's Standard Contractual Clauses for transfers of personal data between Riot entities and to our third-party service providers and partners.

— Excerpt from Riot Games's Riot Games Privacy Notice

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: GDPR Chapter V governs international transfers of personal data from the EU/EEA. Standard Contractual Clauses (SCCs), updated by the European Commission in 2021, are a recognized transfer mechanism. The Court of Justice of the EU's Schrems II ruling (Case C-311/18) established that SCCs alone may be insufficient without a Transfer Impact Assessment (TIA) in certain circumstances. The EU-US Data Privacy Framework (DPF) established in 2023 provides an additional mechanism for transfers to certified US entities. UK GDPR requires separate transfer mechanisms under the UK's International Data Transfer Agreement (IDTA). GOVERNANCE EXPOSURE: Medium. Riot's use of SCCs represents standard industry practice for EU-to-US transfers. The notice does not detail whether Transfer Impact Assessments have been conducted, which EDPB guidance indicates may be required depending on the destination country and the nature of data transferred. The absence of a specific reference to DPF certification or UK IDTA compliance may warrant follow-up. JURISDICTION FLAGS: EU/EEA users have the strongest interest in assessing the adequacy of transfer safeguards. UK users are subject to a separate post-Brexit transfer regime. Brazilian users under LGPD have transfer rights that should be addressed. Users in countries without adequacy decisions face the greatest practical gap between stated and actual protections. CONTRACT AND VENDOR IMPLICATIONS: B2B customers whose employee data flows through Riot services should confirm that the applicable SCCs or alternative transfer mechanisms are properly executed and that TIAs have been conducted where required. The adequacy of sub-processor transfer chains should be assessed, particularly given the breadth of the third-party ecosystem referenced in the notice. COMPLIANCE CONSIDERATIONS: Legal teams should request documentation of Riot's executed SCCs and any available TIAs. UK compliance teams should verify whether Riot has implemented UK IDTA mechanisms separately from EU SCCs. The notice should be reviewed for consistency with EDPB recommendations on supplementary measures for international transfers.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable regulations

CCPA/CPRA
California, USA
COPPA
United States Federal
Connecticut Data Privacy Act Amendments
US-CT
CAN-SPAM
United States Federal
FTC Act Section 5
United States Federal
GDPR
European Union
Indiana Consumer Data Protection Act
US-IN
Kentucky Consumer Data Protection Act
US-KY
Universal Opt-Out Mechanism Expansion 2026
US
VPPA
United States Federal

Provision details

Document information
Document
Riot Games Privacy Notice
Entity
Riot Games
Document last updated
May 5, 2026
Tracking information
First tracked
May 10, 2026
Last verified
May 10, 2026
Record ID
CA-P-001564
Document ID
CA-D-00310
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
2a840e744c4ccacedb5da002bc88e924c17e42553d102c3755b4b0f1d26ccb44
Analysis generated
May 10, 2026 05:42 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Riot Games
Document: Riot Games Privacy Notice
Record ID: CA-P-001564
Captured: 2026-05-10 05:42:08 UTC
SHA-256: 2a840e744c4ccace…
URL: https://conductatlas.com/platform/riot-games/riot-games-privacy-notice/international-data-transfers/
Accessed: July 4, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
Medium
Categories

Other risks in this policy

Related Analysis

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Riot Games's International Data Transfers clause do?

Data transferred internationally may be subject to different legal protections. The use of SCCs is a recognized GDPR transfer mechanism, but transfers to the US remain subject to ongoing legal scrutiny following the Schrems II ruling and evolving EU-US data privacy framework developments.

How does this clause affect you?

Your personal data may be processed in countries with weaker data protection laws than your own. EU users should be aware that while Riot uses SCCs as a transfer mechanism, the practical protections available in destination countries may differ from EU standards.

How many platforms have this type of clause?

ConductAtlas has identified this type of provision across 54 platforms. See the full comparison.

Is ConductAtlas affiliated with Riot Games?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Riot Games.