> Example 3: GAMER X is registered as a user on the gaming platform of PLATFORM Y. One day, GAMER X is notified that his online account has been restricted. As he is unable to log in anymore, GAMER X asks the controller for access to all personal data relating to him. In addition, GAMER X requires access to the reasons for the account restriction. PLATFORM Y, the controller of the online gaming platform with which the request has been lodged, informs the users in its general terms and conditions available on its website, that any kind of cheating (mainly by the use of third party software) will entail a periodical or permanent ban from its platform. PLATFORM Y also informs the users in its privacy policy about the processing of personal data for the purpose of detecting gaming cheats, in accordance with the requirements set out in Art. 13 GDPR.
> Upon receipt of GAMER X’s request for access, PLATFORM Y should provide GAMER X with a copy of the personal data processed about GAMER X. Regarding the reason for the account restriction, PLATFORM Y should confirm GAMER X that it decided to restrict GAMER X’s access to online games due to the use of one or repeated gaming cheats which are in violation with the general terms of use. In addition to the information provided about the processing for the purpose of gaming cheat detection, PLATFORM Y should grant GAMER X access to the information it has stored about GAMER X’s gaming cheats which led to the restriction. In particular, PLATFORM Y should provide GAMER X with the information that led to the restriction of the account (e.g. log overview, date and time of cheating, detection of third party software,...) in order for the data subject to verify that the data processing has been accurate.
> However, according to Art. 15(4) and Recital 63 GDPR, PLATFORM Y is not bound to reveal any part of the technical operating of the anti-cheat software even if this information is relating to GAMER X as long as this is can be regarded as trade secrets. The necessary balancing of interests under Art. 15(4) will have the result that the trade secrets of PLATFORM Y preclude the disclosure of this personal data because knowledge of the technical operating of the anti-cheat software could also allow the user to circumvent future cheat or fraud detection
> The extent of the information provided to individuals will be heavily context dependent, taking into account the nature of the data controller and the nature of the breach of the terms of service. In some cases, it may only be possible for the data controller to provide basic information in response to an access request to which Art. 15(4) applies
So at least some information should be provided while some things could fall under the trade secret exception. I would imagine at least some cases need to go to DPA in order to get some clarification on what information must be provided and which things they could avoid disclosing, but that is going to take quite a while to get any resolution on.
https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_...
> Example 3: GAMER X is registered as a user on the gaming platform of PLATFORM Y. One day, GAMER X is notified that his online account has been restricted. As he is unable to log in anymore, GAMER X asks the controller for access to all personal data relating to him. In addition, GAMER X requires access to the reasons for the account restriction. PLATFORM Y, the controller of the online gaming platform with which the request has been lodged, informs the users in its general terms and conditions available on its website, that any kind of cheating (mainly by the use of third party software) will entail a periodical or permanent ban from its platform. PLATFORM Y also informs the users in its privacy policy about the processing of personal data for the purpose of detecting gaming cheats, in accordance with the requirements set out in Art. 13 GDPR.
> Upon receipt of GAMER X’s request for access, PLATFORM Y should provide GAMER X with a copy of the personal data processed about GAMER X. Regarding the reason for the account restriction, PLATFORM Y should confirm GAMER X that it decided to restrict GAMER X’s access to online games due to the use of one or repeated gaming cheats which are in violation with the general terms of use. In addition to the information provided about the processing for the purpose of gaming cheat detection, PLATFORM Y should grant GAMER X access to the information it has stored about GAMER X’s gaming cheats which led to the restriction. In particular, PLATFORM Y should provide GAMER X with the information that led to the restriction of the account (e.g. log overview, date and time of cheating, detection of third party software,...) in order for the data subject to verify that the data processing has been accurate.
> However, according to Art. 15(4) and Recital 63 GDPR, PLATFORM Y is not bound to reveal any part of the technical operating of the anti-cheat software even if this information is relating to GAMER X as long as this is can be regarded as trade secrets. The necessary balancing of interests under Art. 15(4) will have the result that the trade secrets of PLATFORM Y preclude the disclosure of this personal data because knowledge of the technical operating of the anti-cheat software could also allow the user to circumvent future cheat or fraud detection
> The extent of the information provided to individuals will be heavily context dependent, taking into account the nature of the data controller and the nature of the breach of the terms of service. In some cases, it may only be possible for the data controller to provide basic information in response to an access request to which Art. 15(4) applies
So at least some information should be provided while some things could fall under the trade secret exception. I would imagine at least some cases need to go to DPA in order to get some clarification on what information must be provided and which things they could avoid disclosing, but that is going to take quite a while to get any resolution on.