Take into account the General Data Protection Regulation (EU May, 2018)

×

Status message

You are not a member of this team. If you want to be part of this team, click on 'Subscribe to this team'.
Rhein-Ruhr-Hub's picture
Submitted by Rhein-Ruhr-Hub on Tue, 04/24/2018 - 06:13
Team(s): 
Software Development
Type: 
Feature request
Status: 
Resolved
Priority: 
Normal
Description: 

Hi Jordi,

end of May, 2018 the European GDPR becomes valid for Europe and Switzerland. I am not sure, if there are already ongoing preparations for our homepage? Labdoo has to work on that as we deal with personal data of European citizens. How much we have to change I cannot say. First information are here https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

There is a good German summary here https://www.df.eu/blog/der-8-schritte-plan-wie-sie-die-neue-dsgvo-umsetz...

As I understand it, there are parts which I can work on together with Frank, e.g. modifying the German impressum (German Imprint). But there might be as well updated imprints in other languages needed, if those refer zu EU?

But there are some parts, which I am not able to influence:

  • anonymize (I guess this verb does not exist; make anonymous) the IPs of visitors e.g. for Google Analytics, https://www.metrika.de/blog/web-analytics/google-analytics-anonymizeip/
  • Sign a contract with Google, either by snail post https://static.googleusercontent.com/media/www.google.com/de//analytics/... or in your analytics account (the company/NGO and a primary contact person have to be named); once contract is agreed it should be send to all super hubs in a European country, in case someone is asking for it.
  • Install a Google Analytics Opt-Out-Option (example https://wordpress.org/plugins/google-analytics-opt-out/)
    only needed for companies > 250 employees, but if EU is counting user accounts, it might be needed: a list of all order processes (but I hope it is not needed)
  • team wall: leaving comments as a user or anonymous is also mentioned; a hint and a link to the imprint and that user data will be stored and processed has to be added to contact sheet. The suggested solution is to add a user entry https://wordpress.org/plugins/wpdiscuz/
    contact page: sending a message to Labdoo is also involved; users have to explain their acceptance of leaving their data and that it is prosessed, e.g. by clicking a box "I agree to...". This agreement has to be recorded.
  • Need your feedback to work out a new imprint here:
    • server log? Are we keeping record of the IPs of visitors in a server log? Is it needed or can we remove that? If not, we have to inform in our imprint.
    • Cookies? Does our web-site use cookies? If so, add to imprint.
    • Google maps - we use Google maps, but how? We display maps to inform users. But do we get information from the users, which Google maps might get as well? As I understand, users are not able to enter data for Google maps into our web-site? So it is more a passive showing of maps. Then no data protection declaration for Google maps should be needed?
    • User registration and other aspects of our web-site? We have to check our processes, e.g. if registering and displaying user data is in line with the EU GDPR. Some experts recommend to involve a lawyer, specialized on IT law and regulation. It is a new and complex matter.

This list may not be complete. It is a summary of what I understood might to be changed for our small NGO...
Thanks,
Ralf, Labdoo Germany

Comments

jordi's picture
Submitted by jordi on Sat, 05/12/2018 - 18:34

Hi Ralf,

Some answers to your questions:

> server log? Are we keeping record of the IPs of visitors in a server log?
> Is it needed or can we remove that? If not, we have to inform in our imprint.

Now we are not, i just deactivated all tracking of IP addresses from our servers and cleared up our database from any IP address information. We don't really need user's IP so less is better.

> Cookies? Does our web-site use cookies? If so, add to imprint.

Yes, we do use cookies. I will add it to the English imprint.

> Google maps - we use Google maps, but how? We display maps to inform users.
> But do we get information from the users, which Google maps might get as well?

We don't get personal information from users for Google maps. Our Google maps are only used to display the position of objects. The closest one would be dootrips, which show information about people's travels (location and dates). We may need to mention something about dootrips in the imprints/terms and conditions. Notice that users are fully capable of deleting the dootrips they registered themselves, so this is compliant with GDPR in that it gives the power to users to disclose and to fully erase such information.

> As I understand, users are not able to enter data for Google maps into our web-site?
> So it is more a passive showing of maps. Then no data protection
> declaration for Google maps should be needed?

Correct. I would however mention the case of dootrips and explain such information is freely provided by users (it's not captured by Labdoo without telling the user) and can be deleted by the user at any time.