Once the game company has your data (and mine) Facebook has no control over what the game company does with it or who it shares it with.
Oh, I'm sure they have policies about what can be done with the data but there really is no way to enforce it.
As an example, the company that operated the "At the Pool" Facebook game, left all their Facebook user profiles, etc, on a publicly accessible Amazon Web Services (AWS) server for anybody to access.
Here's an excerpt from an article on ZDNet on this Facebook data leakage:
[T]he company has lost control over its most important asset - its users' data - which is now leaking left and right from all the no-name companies and mom-and-pop developer firms who've collected it over the past few years.