Riot transfers your personal data to other countries, including the US, and uses Standard Contractual Clauses (SCCs) as the legal mechanism to authorize transfers out of the EU.
This analysis describes what Riot Games's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Data transferred internationally may be subject to different legal protections. The use of SCCs is a recognized GDPR transfer mechanism, but transfers to the US remain subject to ongoing legal scrutiny following the Schrems II ruling and evolving EU-US data privacy framework developments.
Interpretive note: The notice references SCCs as the transfer mechanism but does not confirm whether Transfer Impact Assessments have been conducted, which is a requirement in some circumstances under EDPB guidance following Schrems II.
Riot Games has restructured how it presents information about data collection and use in its privacy notice. The company narrowed its third-party disclaimer by removing the phrase 'we don't own or control,' replacing it with 'we don't control'—a distinction that may affect which entities the company is claiming it has no privacy responsibility for. For California residents, the notice now consolidates information about categories of personal information and their purposes into a single section rather than splitting them across the document. The practical implication depends on how Riot Games operationally interprets 'control' in relation to its business relationships and how California regulators view this language under CCPA notice requirements.
View change record →Your personal data may be processed in countries with weaker data protection laws than your own. EU users should be aware that while Riot uses SCCs as a transfer mechanism, the practical protections available in destination countries may differ from EU standards.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Your personal information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction.
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Monitoring
Riot Games has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Your personal data may be transferred to and processed in countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country. We have taken appropriate safeguards to require that your personal data will remain protected in accordance with this Privacy Notice. These safeguards include implementing the European Commission's Standard Contractual Clauses for transfers of personal data between Riot entities and to our third-party service providers and partners.— Excerpt from Riot Games's Riot Games Privacy Notice
REGULATORY LANDSCAPE: GDPR Chapter V governs international transfers of personal data from the EU/EEA. Standard Contractual Clauses (SCCs), updated by the European Commission in 2021, are a recognized transfer mechanism. The Court of Justice of the EU's Schrems II ruling (Case C-311/18) established that SCCs alone may be insufficient without a Transfer Impact Assessment (TIA) in certain circumstances. The EU-US Data Privacy Framework (DPF) established in 2023 provides an additional mechanism for transfers to certified US entities. UK GDPR requires separate transfer mechanisms under the UK's International Data Transfer Agreement (IDTA). GOVERNANCE EXPOSURE: Medium. Riot's use of SCCs represents standard industry practice for EU-to-US transfers. The notice does not detail whether Transfer Impact Assessments have been conducted, which EDPB guidance indicates may be required depending on the destination country and the nature of data transferred. The absence of a specific reference to DPF certification or UK IDTA compliance may warrant follow-up. JURISDICTION FLAGS: EU/EEA users have the strongest interest in assessing the adequacy of transfer safeguards. UK users are subject to a separate post-Brexit transfer regime. Brazilian users under LGPD have transfer rights that should be addressed. Users in countries without adequacy decisions face the greatest practical gap between stated and actual protections. CONTRACT AND VENDOR IMPLICATIONS: B2B customers whose employee data flows through Riot services should confirm that the applicable SCCs or alternative transfer mechanisms are properly executed and that TIAs have been conducted where required. The adequacy of sub-processor transfer chains should be assessed, particularly given the breadth of the third-party ecosystem referenced in the notice. COMPLIANCE CONSIDERATIONS: Legal teams should request documentation of Riot's executed SCCs and any available TIAs. UK compliance teams should verify whether Riot has implemented UK IDTA mechanisms separately from EU SCCs. The notice should be reviewed for consistency with EDPB recommendations on supplementary measures for international transfers.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Data transferred internationally may be subject to different legal protections. The use of SCCs is a recognized GDPR transfer mechanism, but transfers to the US remain subject to ongoing legal scrutiny following the Schrems II ruling and evolving EU-US data privacy framework developments.
Your personal data may be processed in countries with weaker data protection laws than your own. EU users should be aware that while Riot uses SCCs as a transfer mechanism, the practical protections available in destination countries may differ from EU standards.
ConductAtlas has identified this type of provision across 54 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Riot Games.