Hi. I am a certified data protection officer for a company operating within the EU. Generally their policy isn't good, nor does it conform with the requirements of the GDPR. They're already in violation of at least Article 12 GDPR solely based on the excerpts you've posted.
To address the points you've raised:
We store personal information for as long as we reasonably need it to fulfill the purposes for which it was collected We may share, or provide you with opportunities to share, information about you with other users of our websites, games, game engines, and applications as described in this policy
This is within their rights. The second your contract with them ends (you delete your account, request deletion based on GDPR), they may no longer use your data for anything, they will have to delete it and confirm deletion of all data in accordance with the GDPR in writing unless there's laws requiring them to keep records longer. If there are, they have to delete once those times are done. This is in accordance with Article 6.
We may share personal information we collect within our family of companies. We also will share information with service providers that perform services on our behalf and under our instructions
This is fine for the most part. They process data through their ISP for example and probably some subsidiaries that do their accounting and such processes. What is not fine however is that they do not list the exact recipients in accordance with Article 12 GDPR, especially since their wording isn't even close to being possible to understand by a child (who will use their services, Fortnight anyone?). Them pointing out that their services are not directed at children (which they cut off at 13 for some reason), doesn't matter at all. It's accessible to children and a large part of their audience are children. Their intent means nothing the second a child interacts with their services, unless they actively prevent children from using it.
We also may share certain limited information, such as device identifiers, with advertisers and other marketing partners for purposes of gauging the effectiveness of advertising and other marketing strategies
Again, Article 6. It's not ideal but they could argue it on Article 6, especially Article 6 paragraph 1 subsection (f) GDPR. I doubt an agency checking in on how they actually deal with it would allow them to be this vague about it, especially since there's no hint of data protection by default/by design in accordance with Article 25 GDPR. At least I didn't get any options to decline any of this at any point (during install or after the setup of the client). So their default is: We share everything, while their default has to be: we share nothing, you say what we share.
As part of our international operations, we may transfer information about you to any jurisdiction where we do business... The laws in those jurisdictions may not provide the same level of data protection compared to the laws in your country.
Very poorly worded. The GDPR does allow for transference outside of the EU, however there's special restrictions on where to. The EU comission has a list of countries such as Switzerland which are deemed to have a similar level of data protection so there's no extra need for further precautions. The US for example is not on that list. Some companies within the US are within the framework of the Privacy Shield that has replaced the Safe Harbor pact. Again, Article 12 - lack of transparency. Who gets this stuff? Why? For how long? What guarantees are there? The way it's written here also sounds like they'll transfer regardless of guarantees in those countries. That is 100% illegal according to the GDPR (see Article 46 GPDR). They have to ensure guarantees and safeguards of the level of EU requirements are in place.
If you are located in the EU or the Epic entities located in the EU process your personal information in the EU, then you have the right to restrict or object to our processing of your personal information. The right to restrict processing arises only in limited circumstances, for example, if you think we are processing inaccurate information. In addition, if we are required to restrict processing but the requirement is temporary, we may not be permanently obligated to adhere to your request.
The part they're referring to is Article 18 paragraph 1 subsection (a) GDPR. If you request restriction of processing because they process wrong data (like your last name is misspelled) they only have to restrict the processing until they've corrected your data (in accordance with Article 16 and Article 5 paragraph 1 subsection (d) GDPR ). After that they may resume processing it. If you however restrict their processing (like telling them to not send it to countries or companies outside the EU, because you feel it's unlawful for them to do so), they have no power to simply set a timer on that request for you. It doesn't just expire.
In conclusion Their privacy policy has much larger issues, for example they do not point out all your rights anywhere, which they're obligated to do for EU citizens (or as any company operating within the EU or having EU clients). Their transparency is inadequate and it's overall very lackluster in terms of what it should be. An example of a pretty good privacy policy statement in accordance with the requirements of the GDPR from a gaming company can be found over at Blizzard. They list almost everything I see lacking here.
