GDPR Audits

You are required to complete a GDPR audit to comply with European regulations and the GDPR legislation if you have or could potentially have players based in the EU. You will not be able to view personal information such as IP addresses, emails and billing details unless you have completed a GDPR audit. ā€‹

When completing your GDPR audit you will need to answer a few questions on how you process personally identifiable information (PII) which has been collected from your use of the Tebex platform and who has access to it. These audits will need to to be kept up to date if any of your circumstances change.

How To Submit A GDPR Audit

  1. Go to Privacy.

  2. Go to GDPR Audits.

  3. Click Create GDPR Audit.

  4. Enter the information (We explain each section below).

  5. Click Create.

  6. We will then review your GDPR audit within 3 working days and either accept or decline it. If we choose to decline your audit we will provide you information on why.

Information About Each Section Of A GDPR Audit

Find our more information for each section of the GDPR audit below.

Data Access

This section will be where you will need to detail who has access to PII on your store as well as exported or externally saved data collected from the API. Please make sure to add their full name, role, the data they have access to and their email address.

An example could be:

John Smith, Support staff, Partial access (Player IP in logs),

External Systems

This section should include information about the systems you use to process the player data. We need to understand what you are using to process the data, where you are processing the data, what data is being processed and the purpose of the system.

An example could be:

We have a US MySQL database (Amazon RDS) for backing up all the payments history using Webhooks.

Data Exporting

In this field we need to know if you export your data, where to and what protection it is afforded. If you are storing EU data outside of the EEA (the countries of the EU + Iceland, Norway and Liechtenstein, more info) then you will need to make sure that the data is covered under safeguards that the ICO has determined here.

We define any activity of transferring data from your control panel as exporting the data. This includes using the payments export option, webhooks and sharing data manually outside of our system.

An example could be:

We export data to our AWS instances in the USA for performing our own analytics. AWS is fully compliant with Privacy Shield for EU data.

Data Processing

This is where you will need to provide more information on what data from Tebex you process and where you process it. This may include: order fulfilment, email marketing, customer support, fraud prevention and will need to detail how the data is used for each of these functions.

An example could be:

Customer support - we use the email from the payments to conduct email follow-ups if there are support issues with payments.

I Don't Want To Have Access To Personal Information

If you do not want to submit a GDPR audit you can choose to disable the ability of viewing personal information. Once you have done this you will not be required to submit an audit. You can find this option in Privacy > Show PII.