At Embracer Group, we are committed to maintaining the trust and confidence of our employees, partners, players and customers by handling your personal data with the utmost care and respect. Transparency and accountability are central to how we work with privacy, and we believe it is important that individuals understand how and why their personal data is processed within our organisation.
This Data Privacy Center has therefore been created to provide clear and accessible information about how Embracer Group approaches data protection and privacy matters at a group level. It offers an overview of our principles, governance, and practices related to the processing of personal data. However, it does not replace the privacy notices made available by individual group companies, which provide more detailed and context-specific information relating to particular products, services, websites, and employment relationships.
Data privacy refers to the principles, safeguards, and legal requirements that govern how personal data is collected, used, stored and shared. It is fundamentally about ensuring that personal data is handled in a way that respects individuals’ privacy and autonomy, and that provides transparency and meaningful control over how their personal data is used. At Embracer Group, we prioritize data privacy by implementing appropriate security measures, complying with applicable privacy laws and internal requirements, and being open and transparent about our data processing activities.
Personal data – also referred to as personal information or personally identifiable information – means any information that can identify an individual, either on its own or when combined with other information. This can include basic details such as a name, email address, and phone number, as well as more contextual information such as playstyle, achievements, or purchased products.
All companies within our group are required to comply with our privacy requirements, without any exceptions. To ensure a consistent approach to the protection of personal data, we have adopted a Group Privacy Policy that outlines the expectations and the mandatory requirements for all group companies. The Group Privacy Policy governs every Embracer Group company, regardless of whether applicable local or national legislation contains explicit or comprehensive privacy requirements. In other words, compliance with the Group Privacy Policy is required even in jurisdictions where data protection laws are limited or less stringent.
Where local or national laws impose additional or stricter privacy obligations, the relevant group companies must fully comply with those legal requirements in addition to those set out in the Group Privacy Policy.
Through this layered approach, we ensure that all companies within the group adhere to a common, high standard for the processing of personal data, while also complying with applicable local legal requirements.
To support and enable this work in practice, strong group-wide collaboration is a key focus. This collaboration is essential to ensure a high level of awareness, effective coordination and clear communication across the different entities within the group, as well as a well-defined allocation of roles and responsibilities. Driving and coordinating this effort at group level is our Head of Privacy and AI Governance, who is responsible for maintaining and developing group-wide requirements, controls, governance forums, guidelines, and supporting information that are intended to benefit and support all group entities in their privacy work.
We take the privacy of individuals very seriously and are committed to responding to all requests relating to individual rights in a timely and transparent manner. When we process an individual’s personal data, this person is entitled to exercise a range of rights, which generally include:
To exercise any of these rights, individuals should contact the company within Embracer Group that processes your personal data, for example the company with which they have an account or other direct relationship. Relevant contact details are provided at the point where personal data was first collected. Further information about individual rights is available in the Privacy Notice published on this website, as well as in the applicable Privacy Notice of the relevant group company.
The protection of personal data is of particular importance to Embracer. We value the trust that our players, users and other individuals place in us when they share their personal data, and we are committed to safeguarding that trust through strong technical, organizational, and contractual measures.
Personal data processed within our companies is protected using industry-standard encryption techniques, and we apply industry-leading security tools and best practices to safeguard our IT environments. Access to any personal data is strictly controlled and granted in accordance with the principle of least privilege, meaning that individuals are only given access to the data necessary to perform their specific tasks.
We also rely on established and reputable data storage and service providers whose security measures are regularly audited by independent third parties. These requirements apply to handling of both personal data and non-personal data. In addition, our security and data protection requirements extend to our suppliers and businesses partners through contractual obligations, ensuring that personal data is protected throughout the chain.
We are committed to protecting personal data, including in situations where incidents occur. A data breach or incident may include events such as unauthorized or unlawful access to, disclosure of, alteration of, or destruction of personal data.
To address such situations, we have implemented a robust and structured incident response framework designed to ensure the timely detection, mitigation, and reporting of data breaches. Our response process also includes a thorough post-incident review to assess root causes and identify corrective and preventive measures.
To support this work, we rely on both internal expertise and external resources, enabling us to prepare for potential incidents and respond swiftly and effectively if a breach occurs. This structured approach ensures that incidents are handled in a consistent and compliant manner and that lessons learned are incorporated into our processes to reduce the risk of recurrence.
To monitor our progress and continuously improve our maturity in the area of data privacy, we conduct annual audits and reviews. These audits are carried out both internally and in collaboration with independent external auditors.
The audits focus on key areas such as the processing of personal data, information security practices, the use of AI and the effectiveness and maturity of our governance processes. Through these reviews, we aim to ensure that personal data and AI are used in a safe, ethical, business-friendly, and legally compliant manner across our companies, while also identifying opportunities for ongoing improvement.
Not all processing of personal data requires consent. Depending on the circumstances, personal data may be processed on other legal bases, such as the fulfilment of a contract. This is, for example, often the case when an employer processes personal data relating to its employees.
The most common legal basis relied upon is legitimate interest, or a corresponding legal basis under applicable local legislation. This allows a company to process personal data for specific and limited purposes without requiring an individual’s consent, provided that such processing is lawful and appropriately balanced against the individual’s rights and interests. Examples of such processing include activities necessary to prevent fraud or to ensure the security and integrity of our IT systems. For more detailed information about the legal basis used for specific processing activities, individuals are referred to relevant Privacy Notice.
Where consent is required under applicable data protection law, we obtain and manage consent in accordance with all legal requirements. Any consent collected is designed to meet the strict conditions for validity, including that it is informed, specific, freely given, and unambiguous. Individuals are provided with clear and concise information on how and why their personal data will be used before consent is requested.
Individuals also have the right to withdraw their consent at any time, in an easy and accessible manner. For example, consent for newsletters or marketing communications can always be withdrawn by using the unsubscribe link included at the bottom of each message, without affecting the lawfulness of processing carried out prior to the withdrawal.
When processing personal data, we always apply the principle of data minimization. This is a core principle of data protection and means that we limit the collection, use, and storage of personal data to what is strictly necessary to achieve a specific and clearly defined purpose. We also ensure that we do not collect personal data from third parties unless we are required to do so.
Data minimization also includes limiting how long personal data is retained. Personal data is therefore kept only for as long as necessary to fulfil the purpose for which it was collected or otherwise processed, after which it is securely deleted or anonymized in accordance with applicable legal requirements. There are defined retention times set out for each purpose.
We do not sell, rent, or otherwise disclose personal data to third parties for their own independent or secondary commercial purposes. Personal data may, however, be shared within Embracer Group or with trusted service providers acting on our instructions where this is necessary to deliver products and services, operate our business, or comply with legal obligations.
Some of our websites uses cookies and similar tracking technologies, which might belong to our partners, who are third parties. We do not use such technologies without explicit consent. It is always possible for the website visitor to decline the placement of third party-owned tracking technologies. We will then not share any information about the individual with our partners.
We apply the same high standards of security and data protection to our processors and service providers as we do to our own processing activities. These requirements are reflected in contractual obligations and are designed to ensure that personal data is protected to a consistently high standard throughout the processing chain.
We ensure that all employees, regardless of their role, function, or location, receive recurring and relevant training on data protection and information security. This training is designed to build awareness and practical guidance on how to handle personal and sensitive data responsibly, how to prevent and report data breaches, and how to comply with applicable laws and internal requirements.
Our training programme covers key topics such as data classification, encryption, access control, password management, phishing awareness, and the rights of individuals under data protection laws. We continuously monitor and evaluate the effectiveness of our training efforts and update the content as necessary to reflect changes in legal requirements, emerging risks, and developments in the data protection landscape.
We publish information on the number of legal requests for customer data that we receive from government authorities and other public bodies to the extent we are legally permitted to do so. Any request for personal data must comply with applicable laws be subject to careful legal assessment before any data is disclosed.
We only provide personal data where we are legally required to do so and limit any disclosure strictly to the data necessary to fulfil the specific request. Depending on the applicable legal framework, a valid subpoena, warrant, court order, or similar legal instrument is generally required before we can comply with a request. We always verify the legal basis, scope and validity of such requests prior to responding, in order to protect the rights and privacy of individuals.
| Year | Number of requests | Number of fulfilled requests |
|---|---|---|
| 2020 | 0 | 0 |
| 2021 | 0 | 0 |
| 2022 | 0 | 0 |
| 2023 | 0 | 0 |
| 2024 | 0 | 0 |
| 2025 | 0 | 0 |
List updated annually.
Embracer Group is a global group of creative and entrepreneurial businesses in PC, console and mobile games, as well as other related media. The Group has an extensive catalog of over 400 owned or controlled franchises.
With its head office based in Karlstad, Sweden, Embracer Group has a global presence through its operative groups: THQ Nordic, PLAION, DECA Games, Dark Horse, Freemode and Crystal Dynamics – Eidos. The Group includes 55 internal game development studios and engages nearly 6,500 talents across nearly 30 countries.
Governance
