D4.1: The initial annotated presentation addressed to RAYUELA partners on how to apply correctly the provisions of the GDPR during the action.

D4.2: Report assessing the implementation of the GDPR in the RAYUELA action reporting on the lessons learned.

This report presents the high level-approach to data protection in RAYUELA. Section 1 presents the position of this deliverable in relation to other deliverables in the project, specifically in WP4. 

Section 2 introduces the continuous data protection by design and default approach in RAYUELA and the steps taken in making data protection and privacy a cornerstone of the project, namely: 

• The specific GDPR deliverables produced in WP9 requested by the EC. 
• The legal and ethical workshops conducted in the project. 
• The data protection handbook produced as a guidance document for partners. 
• The continuous DPIA process. 
• The GDPR support in data management 
• Ad hoc advice and many ad hoc meetings relating to GDPR. 

Section 3 relates to the main outcomes of data protection work, referring back to D4.4. The main outcomes of the DPIA process are that acceptable (low) residual risk was present at every phase of the project work, both during the piloting and data collection phase using the serious game and for the analysis phase. For this reason, no prior consultation with any specific data protection authority was needed. 

Section 4 presents some main lessons learned in RAYUELA, based on some of the data protection challenges encountered in the project. 

For each of these challenges, section 4 presents: 

• The legal context. 
• The choices made in RAYUELA. 
• The lessons learned during the project. 

The legal challenges covered are the following: 

– Serious games for research: what is the appropriate legal ground under the GDPR?

The lesson learned here is that Article 6 GDPR consent is usually the best choice, with some nuance. This was also the choice made in RAYUELA. 

– Consent ages in Europe for pan -European research activities: how to go about this?

The lesson learned here is that truly pan-European research remains challenging due to national complexities. There are solutions and work-arounds, but this is an issue that requires further attention by the research community. 

– Children and transparency: how to reach your audience?

The lesson learned here is that oral information upfront, with the use of visual and other aids, combined with the opportunity to ask questions is really the most important part of providing information to children. 

– Children playing serious games: fun first, research second? 

The lesson learned here is that it is in fact possible to adhere to a child first and child protection approach when designing a serious game with significant data collection for research purposes, without necessarily having to sacrifice so much of data collection and utility of said data that the research becomes impossible. However, some trade-offs cannot be avoided. 

– Identifiability of children and data subject rights: how to strike the right balance?

The lesson learned in this context is primarily that with the right research design, an appropriate balance can be found that allows a level of practical anonymity, while still enabling that data subject rights are granted. This seems an appropriate solution for children playing a serious game where there are no objective reasons to have the children identified. 

Section 5 presents the conclusion of this deliverable, namely that throughout the project, RAYUELA has insisted on a “players first, research second” approach, while still trying to enable the research to go ahead. Since extensive data protection controls were implemented to reduce any risk for the players, but WP6 still obtained sufficient data for their analysis, an appropriate balance is deemed to have been struck.