News:

Wondering if this will always be free?  See why free is better.

Main Menu

About the GDPR

Started by LiroyvH, June 02, 2018, 09:08:21 PM

Previous topic - Next topic

Arantor

So if there is a system error that means the privacy policy physically can't be displayed (maintenance mode aside), it's now a GDPR violation. In fact, in almost every single possible circumstance under that, you'd have to display the privacy notice. Even if the site is in hard maintenance where not even admins can log in, you STILL have to display it on almost every webhost ever set up because it still goes into access logs so even though the site isn't accessible, the fact it's been visited at all still counts.

Congratulations, that's the second dumbest thing I've heard yet coming out of the German interpretation of the GDPR, the first being that if patients request their healthcare data to be deleted under RTBF, electronic records must be deleted, while the paper copies (that are fundamentally incomplete, if say, you have cancer where you'll have CTs and treatment plans and all that stuff as 95% of that won't ever make it to paper and even if it did, it wouldn't be especially useful anyway) must be kept for 30 years.

Fortunately the ICO is not quite so asinine about any of this. It's getting increasingly less worth the effort to run a website the way this is going.

Aleksi "Lex" Kilpinen

#21
I still think that must be a misunderstanding, or very very poor local implementation because no such requirement can be seen in the actual GDPR.

EDIT:

As far as I know, this is THE point in GDPR that has been interpreted as the need of a privacy policy available:

Quote
The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

In my understanding, appropriate measures does not mean it has to be available at all cost at all times, it simply means to make it public and clear where you can obtain the information if needed.

Article 13 in itself will not come in to play, if the server is down - because no information is then collected, and the user does not have to be informed of that.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

wintstar

Quote from: Arantor on August 09, 2018, 03:47:22 AM
...
Congratulations, that's the second dumbest thing I've heard yet coming out of the German interpretation of the GDPR, the first being that if patients request their healthcare data to be deleted under RTBF, electronic records must be deleted, while the paper copies (that are fundamentally incomplete, if say, you have cancer where you'll have CTs and treatment plans and all that stuff as 95% of that won't ever make it to paper and even if it did, it wouldn't be especially useful anyway) must be kept for 30 years.

Fortunately the ICO is not quite so asinine about any of this. It's getting increasingly less worth the effort to run a website the way this is going.
That's not German, that's European crap. And I also see it in such a way, that it is not worthwhile itself in Europe slowly privately a web page to operate.
This DSGVO is actually made to bring even more members to the social networks. The private websites will be broken. But that's not the topic here. The laws are made, then you should also see to implement them as far as possible. alberlast has already solved it.
Regards Stephan

,,In order for the possible to come into being, the impossible must be attempted again and again."
Hermann Hesse (1877-1962)

My HomepageMy Board - My Atelier

Aleksi "Lex" Kilpinen

The actual GDPR is EU crap, but each country will have to write it in their own legislation, so if german legislation says what you say it does, then that is german crap, not EU crap, sorry.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Arantor

I have done this, I have spoken at great lengths with the ICO, the U.K. equivalent. And they are not so asinine about it.

Aleksi "Lex" Kilpinen

So far I have yet to see a very extreme approach to this in Finland too, so far the local interpretation seems almost reasonable.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

feline

If the Forum in "Maintenace Modus" not Userdate is Handled or Saved, because he can simple not login.
So I think, this can simple ignored ...

Arantor

The user still gets entered into the access log and therefore apparently all the privacy notices have to be shown.

feline

Quote from: Arantor on August 09, 2018, 08:00:51 AM
The user still gets entered into the access log and therefore apparently all the privacy notices have to be shown.
Well .. I just have implemented this feature ...
It's very simple to handle that  ;)

In the index.php just before this
return 'InMaintenance';

check if the request the impressum or the gdpr policy  ;)

Easy to handle that ..

petb

How far is the matter in the meantime?
Is there any progress to report?

d3vcho

Our developers are working hard to implement this feature both in 2.0.x and 2.1.x. We'll have to wait a bit more because this is something serious that need to be dicussed and properly implemented but, for everyone's relief, we're much more closer than we were a few months ago.
"Greeting Death as an old friend, they departed this life as equals"

live627

Properly implementing this takes time. We want to get this right. We must also consider existing installs and how best to not disrupt them.

petb

How far is the matter in the meantime?
Is there any progress to report?

m4z

Oh, I never saw this topic until today...  :-X

Disclaimer: IANAL, everything that follow is just AFAIK.

An important part of the German DSGVO (I don't know it it's also part of the GDPR, but I would assume so) seems to be that in your privacy policy, you need a list of all third-party sites with access to personal data (f.e. IP address, which means basically any third-party site) and information about what exact data these sites receive, and how to access their privacy policy page if you want to object/reject them from handling your data (and under the German DSGVO, as the forum host, you apparently even need to have "commissioned data processing" (German: "Auftragsdatenverarbeitung") contracts with all of these sites).

Will SMF by default contain this data for the mandatory and optional built-in services, like JQuery, reCAPTCHA, Gravatar, ...?
"Faith is what you have in things that don't exist."
--Homer Simpson

Es gibt hier im Forum ein deutsches Support-Board!

Arantor

2.0 has none of those built in, 2.1 comes with its own copy of jQuery which doesn't need to be external (unless you set it to use CDN), and not everyone will use either reCAPTCHA or Gravatar - but I doubt it will automagically identify what combinations of settings you use, etc.

Especially with the ad management mod, that has no way to know which providers are in use - so that really should be on the site owner to deal with.

m4z

Quote from: Arantor on May 12, 2019, 05:34:24 PM
2.1 comes with its own copy of jQuery which doesn't need to be external (unless you set it to use CDN)

That's not 100% correct, the 2.1 default (for Configuration -> Features and Options -> General -> "Source for the jQuery Library") seems to be "Auto", which, according to the docs, "[...] will use the CDN first and if not available fall back to the local source". This is what was seeing, and this took me by surprise, because I had expected the feature to work the other way around: Try local first, and if that fails, go for CDN. (And that's why I assumed jquery was a "mandatory" feature, although I didn't specifically say that.)


Quote from: Arantor on May 12, 2019, 05:34:24 PM
and not everyone will use either reCAPTCHA or Gravatar - but I doubt it will automagically identify what combinations of settings you use, etc.

That was kinda what my query was about, the SMF PP should by default include all the info for all these third-party sites (not only the enabled-by-default ones), independent of the site actually using it. This is waaaay more practical than putting documentation somewhere (that 99.9% of users won't ever bother to read) that instructs the remaining 0.1% that if they enable feature X, they would also have to adjust the PP. Also, the forum owners can't really judge (with reasonable effort) how all those features work and what kind of personal information will be available to those third parties.


Quote from: Arantor on May 12, 2019, 05:34:24 PM
Especially with the ad management mod, that has no way to know which providers are in use - so that really should be on the site owner to deal with.

I agree that SMF can't reasonably solve this problem for mods (and I didn't ask for that).
"Faith is what you have in things that don't exist."
--Homer Simpson

Es gibt hier im Forum ein deutsches Support-Board!

Arantor

It is 100% correct, jQuery is mandatory but it doesn't have to use a CDN, I have always set my 2.1 to be local and it's been that way for the last 5 years, because I had frequent spells of not having an internet connection.

The PP should not by default include things that are not enabled by default. And good luck to you to write the translated  version of the privacy policy that patches all the bits together. Hint: other forum platforms that have had GDPR features for more than a year don't try to solve this - at the end of the day, you are the site owner, you are responsible for it being correctly listed, not the software, and if the software has defaults there is a fair bet someone will be on the wrong side of it for assuming it is magically correct when it is not.

petb

I did not mean that with my question about progress.
I thought to have read that there should also be a solution in the 2.0.x by SMF directly?

That also in the 2.0.X the privacy policy, as well as the terms of use, etc.
separately activate each and can view and confirm,
as well as the user can export his data and
the admin can then also delete a user DSGVO compliant, etc.?

Without the need of an extra mod?

Or did i choose the wrong topic here?

EDIT:
No, found this here:
Quote from: CoreISP on June 02, 2018, 09:24:21 PM
....
QuoteAnd with the term "our next release", do you mean the next major update (the 2.1 branch) or the current stable branch (2.0.x)?

Both! :)
But SMF 2.0 gets it first as that's the current stable version and thus what most people are using.

m4z

Quote from: Arantor on May 13, 2019, 03:46:56 AM
It is 100% correct, jQuery is mandatory but it doesn't have to use a CDN[...]

The correctness was about your phrasing, it sounded like the default jQuery setting was local-only, and the admin needs to explicitly change the setting to use the CDN. (And yes, it is of course mandatory, I was just pre-coffee rambling... :-X)


Quote from: Arantor on May 13, 2019, 03:46:56 AM
The PP should not by default include things that are not enabled by default. [...] Hint: other forum platforms that have had GDPR features for more than a year don't try to solve this - at the end of the day, you are the site owner, you are responsible for it being correctly listed, not the software, and if the software has defaults there is a fair bet someone will be on the wrong side of it for assuming it is magically correct when it is not.

I disagree, I think it should include all those third parties, and maybe prefix each one with something like "If this site is configured to use the Gravatar option, your personal data (including IP address, email address, ...) will be processed by them, blah blah blergh...".
Otherwise, as a site owner, you would have to test all user-configurable options to see if any of them have an effect on any specific forum page, resulting in traffic to additional third-party sites.
Being on the other "wrong side", that is, including a "this external site might be processing your data under these circumstances"-prefixed reference to a site that isn't actually used, shouldn't be a problem.


Quote from: Arantor on May 13, 2019, 03:46:56 AM
And good luck to you to write the translated  version of the privacy policy that patches all the bits together.

I don't understand. I'm asking for one static policy that includes all of this. Not multiple versions, and not code-including sections based on features used.
"Faith is what you have in things that don't exist."
--Homer Simpson

Es gibt hier im Forum ein deutsches Support-Board!

m4z

Quote from: petb on May 13, 2019, 05:51:01 AM
I did not mean that with my question about progress.
I thought to have read that there should also be a solution in the 2.0.x by SMF directly?

[...]

Or did i choose the wrong topic here?

This is the correct topic. AFAICT, the feature is not yet implemented in 2.0 or 2.1 RC2 (for the 2.1 branch, part of it is scheduled for RC3).
"Faith is what you have in things that don't exist."
--Homer Simpson

Es gibt hier im Forum ein deutsches Support-Board!

Advertisement: