The policy defines the data controller as Epic Games, Inc. and its subsidiaries and affiliates that provide the Epic Services, with specific controller identity determined by Section 12. This structure means the applicable data controller may vary depending on the Epic Service the user is accessing.
This analysis describes what Unreal Engine's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy's use of a group-level data controller definition, with the specific responsible entity identified only in Section 12, is operationally significant under GDPR, which requires clear identification of the data controller and their contact details in privacy notices. Users and compliance teams must consult Section 12 to determine which entity holds data controller responsibility for a specific service or jurisdiction.
Under this provision, the data controller responsible for personal information varies across Epic Services and subsidiaries, with the specific entity identified in Section 12 of the policy. This structure means the applicable privacy rights mechanism, complaint jurisdiction, and legal entity may differ depending on which Epic Service a user is accessing.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Unreal Engine has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"When we refer to "Epic" (or any similar terms like "we," "us," or "our") in this Policy, we mean the Epic entity that controls and is responsible for your information, such as Epic Games, Inc. and its subsidiaries and affiliates that provide the Epic Services. This Policy applies when Epic acts as a data controller of your information. You can find details about the data controller responsible for your information in Section 12 (How Can You Contact Us?).— Excerpt from Unreal Engine's Epic Games Privacy Policy
1) REGULATORY LANDSCAPE: GDPR Articles 4 and 13 require clear identification of the data controller and their contact details in privacy notices. A group-level controller definition that defers specific identification to a separate section may create compliance tension with these requirements if users cannot readily identify the responsible entity for a given service. The applicable supervisory authority may vary by member state depending on which subsidiary acts as controller in each jurisdiction. 2) GOVERNANCE EXPOSURE: Medium. The deferred controller identification approach is common in large technology group privacy notices but creates operational complexity for data subject rights requests, supervisory authority interactions, and cross-border enforcement under GDPR's one-stop-shop mechanism. 3) JURISDICTION FLAGS: EU/EEA jurisdictions require clear controller identification and may scrutinize whether the lead supervisory authority designation is consistent with the actual location of the main establishment for EU-facing services. UK GDPR imposes equivalent requirements following Brexit. 4) CONTRACT AND VENDOR IMPLICATIONS: B2B partners and enterprise customers integrating Epic Services into their own products should confirm which Epic entity is the relevant data controller for their user base and ensure that data processing agreements and sub-processor notices reflect the correct legal entity. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should ensure that Section 12 of the policy clearly and specifically identifies the responsible data controller for each major Epic Service and jurisdiction, that lead supervisory authority designations under GDPR are accurate, and that data subject rights request workflows route to the correct legal entity.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy's use of a group-level data controller definition, with the specific responsible entity identified only in Section 12, is operationally significant under GDPR, which requires clear identification of the data controller and their contact details in privacy notices. Users and compliance teams must consult Section 12 to determine which entity holds data controller responsibility for a specific service or …
Under this provision, the data controller responsible for personal information varies across Epic Services and subsidiaries, with the specific entity identified in Section 12 of the policy. This structure means the applicable privacy rights mechanism, complaint jurisdiction, and legal entity may differ depending on which Epic Service a user is accessing.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Unreal Engine.