Skip to main content
Topic: Urgent ! New European DSGVO (GDPR) law hits all Forum Admins hard into your Face (Read 373 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Urgent ! New European DSGVO (GDPR) law hits all Forum Admins hard into your Face

Hi,
did you already read about the new
DSGVO (GDPR) law ?

There are now very high new requirements regarding storing user datas and IP adresses and Cookies
and each users has the right to get all his stored data, etc, etc. etc....


How can the Elkarte forum Software meet all these requirements ?

Will we have a plugin or a new version until the end of the month, that will handle
all these HUGE requirements ??

User Feline just said, that she will close her PortaMX forum at the end of the month,
cause she will not have a working solution by then...

Look at this:
https://www.portamx.com/forum-news-and-updates/latest-updates/msg20978/#msg20978

This law is really a total BS....but we have to obey it, cause it is EU law now then...

I think I will close then also all my forums at the 25.5.2018.....
What do you think ?

Regards, Stefan.

Re: Urgent ! New European DSGVO (GDPR) law hits all Forum Admins hard into your Face

Reply #1
My interpretation of what the GDPR means is different to feline's, this document https://ico.org.uk/media/for-organisations/documents/1600/social-networking-and-online-forums-dpa-guidance.pdf

Is a good source and example of what is required and what isn't.

Initially showing the will to conform is important, after that if you are found to be non compiant then they will work with you, rather than fine you outright. At least that is my interpretation of it initially.

Re: Urgent ! New European DSGVO (GDPR) law hits all Forum Admins hard into your Face

Reply #2
The same as I thought about the cookie directive: EU is not gonna chase me for my tiny little forum. And even if they do, they can fine for 4% of my income (from the forum) that is about -70 euro/year (since I don't have ad, I don't have donations, I don't have anything and just take out the money from my pocket to have a VPS up and running).

Do you monetize your forum? If so, then you may start having to think about complying with it.
Are you having the forum "for fun"? Then you are fine.

I'm working on some changes to Elk to *start* having something, but honestly I'm personally not going to write several features from scratch just for the GDPR. :)
Bugs creator.
Features destroyer.
Template killer.

Re: Urgent ! New European DSGVO (GDPR) law hits all Forum Admins hard into your Face

Reply #3
Do you monetize your forum? If so, then you may start having to think about complying with it.
Are you having the forum "for fun"? Then you are fine.

Not true .. 
Read this:
Quote
When an organisation, or individual acting for non-domestic
purposes, posts personal data on a social networking site,
message board or blog, they will need to ensure that they have
complied with the DPA
Many are stubborn in relation to the path, a few in relation to the target.
Visit our new Forum Project on https://www.portamx.com

Re: Urgent ! New European DSGVO (GDPR) law hits all Forum Admins hard into your Face

Reply #4
Sad to hear about this though I don't really care about it that much. I guess freedom of association is no longer protected in EU. Good luck to those who choose to close their forum because of this GDPR.

 

Re: Urgent ! New European DSGVO (GDPR) law hits all Forum Admins hard into your Face

Reply #5
Then let's use the exceptions:
Article 6

Lawfulness of processing

1.   Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
...
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The registration to me can be assimilated to a contract, so forums fall under point b: forum need to store IP, email addresses and nick names in order to fulfil the contract.
The storage of IP, email address and nick names is needed in order to provide the service for which the user registered to.

I'm pretty sure you will argue there are more personal data than that, sure. But these are the most prominent and fundamental to the functioning of the software. anything else can be scraped and anyway the data subject has the possibility to amend to them.

Again, in my current interpretation of the GDPR, there are two things needed:
  • logging of the agreement (on which I'm working)
  • anonymization (on which I'll work one 1 is done)

Everything else are all things that can be improved, but are all already around in a way or another.
Do you need to fully anonymize? A few UPDATEs and it's done.
Do you need to extract the personal data? Few SELECTs and it can be done.
etc.
 Yes, I'm talking with my developer (well, mostly lol) mindset, of course, but with the developer mindset I can tell you that everything can be worked out and I don't see reasons to freak out and scare people with the 20 million euro fines.

To me, anyway, the most important aspect that nobody seems to have grasped are not the technical ways to deal with the requests, but is the informations given to the users. The point is to inform the data subject telling them how the data are used. Doing that is already 90% of the problem. Do that "right" is already a good part of dealing with GDPR.
That said, I'm not a lawyer, I can provide the technical details of how and why data are stored, but then write down a "nice" information is another thing.
Bugs creator.
Features destroyer.
Template killer.

Re: Urgent ! New European DSGVO (GDPR) law hits all Forum Admins hard into your Face

Reply #6
User Feline just said, that she will close her PortaMX forum at the end of the month,
cause she will not have a working solution by then...
Well .. we have today activated our GDPR functionallity  ;)
Works as designed .. so I think, we are on a good way.

Currently we have no data export, that comes later ...

Fel
Many are stubborn in relation to the path, a few in relation to the target.
Visit our new Forum Project on https://www.portamx.com

Re: Urgent ! New European DSGVO (GDPR) law hits all Forum Admins hard into your Face

Reply #7
The first cease-and-desist orders are already hitting websites in Germany,
so as Elkarte.net  itsself has no GDPR plugin enabled it is already vulnerable to these
ease-and-desist orders..
So please hurry up to release the new version and also implement it over here... Many thanks.

See:
https://www.youtube.com/watch?v=VIMAXEmpXOE


Re: Urgent ! New European DSGVO (GDPR) law hits all Forum Admins hard into your Face

Reply #8
Also I can not find any Impressum -  or About us page on Elkarte.net

Only the credits page:
https://www.elkarte.net/community/index.php?action=who;sa=credits
But this is not enough, as it must be stated who also owns the domain
and who is responsible for the domain and its content-..

So this is required by law...

So You better get movin... and add this to this domain..

Re: Urgent ! New European DSGVO (GDPR) law hits all Forum Admins hard into your Face

Reply #9
Hi,
I don't know if it is the best place,sorry if not.
For me GDPR, RGPD in french, is very simple for a forum with no commercial use. Maybe i'm wrong.
My RGPD/GDPR agreement in french... and after in english :

La seule donnée personnelle que nous vous demandons lors de l'inscription est une adresse de messagerie électronique.
Par ailleurs une autre donnée personnelle est enregistrée lorsque vous vous connectez au forum : il s'agit de votre adresse IP.
Ces données ne sont absolument pas utilisées pour d'autres usages que le fonctionnement du forum et ne sont en aucun cas communiquées à des tiers, sauf action de justice.
Vous pouvez décider dans votre profil utilisateur de rendre votre adresse de messagerie utilisable par les autres membres et donc de fait ils connaîtrons votre adresse : par défaut elle est visible uniquement par les administrateurs et modérateurs.
Votre profil utilisateur peut être complété par différentes informations non obligatoires qui pourraient avoir un caractère de donnée personnelle : vous gérez cela par vous même.
Votre adresse de messagerie est utilisée à des fins de communication entre les administrateurs/modérateurs du forum et vous, et uniquement si vous le décidez dans votre profil entre les autres membres du forum et vous.
L'adresse IP est recueillie afin de facilité la modération du forum, le bon fonctionnement du forum avec l'enregistrement des erreurs rencontrées à des fins de correction, et en cas de demande par la justice.
Les données sont conservées tant que votre compte existe et jusqu'à 1 an après sa suppression. Les logs d'erreurs sont supprimés au fur et à mesure que les corrections sont réalisées.
Vous pouvez supprimer votre compte à partir de votre profil.
Votre compte sera supprimé après validation d'un administrateur. Votre compte et donc les données qui y sont attachées seront alors effectivement supprimées du forum, mais vos publications resteront en ligne : tous vos messages resteront en ligne avec comme indication votre pseudonyme, qui n'est pas une donnée personnelle, et le statut invité. À noter que votre pseudonyme est par défaut identique à votre identifiant : l'identifiant comme le pseudonyme peuvent être modifiés dans les paramètres de votre profil.

Par ailleurs le forum utilises des cookies.
Un Cookie peut se traduire par : témoin de connexion ou encore fichier de marquage.
Ce sont des fichiers-texte contenant un petit nombre d’informations qui sont téléchargés sur votre équipement informatique lorsque vous accéder ou naviguez sur un site internet. Ils sont ensuite renvoyés au nom de domaine initial lors de vos nouvelles visites sur cette page internet.
Le forum utilise 2 témoins de connexion : un nommé PHPSESSID et l'autre ElkArteCookie213. Ils expirent tous les deux à la fin de la session et sont ainsi recréés à chaque nouvelle connexion. Ils permettent simplement de maintenir votre session ouverte pendant le temps que vous indiquez au moment de la connexion, sinon par défaut pendant 60mn. C'est ElkArteCookie213 qui contient vos identifiants/mot de passe afin de maintenir la session ouverte. Les échanges entre ElkArteCookie213 et le serveur sont cryptés afin de protéger les données au mieux lors de la circulation sur les réseaux.
Vous pouvez refuser ces deux témoins de connexion dans les options de votre navigateur mais vous serez continuellement déconnectés du forum puisque leur fonction est justement de maintenir la session ouverte. Cela n'est pas du tout conseillé puisque votre expérience du forum sera alors très dégradée.


The only personal data we ask you during registration is an e-mail address.
In addition, another personal data is saved when you log in to the forum: this is your IP address.
These data are absolutely not used for purposes other than the functioning of the forum and are in no way communicated to third parties, except legal action.
You can decide in your user profile to make your e-mail address usable by other members and therefore they will know your address: by default it is only visible to administrators and moderators.
Your user profile may be supplemented by various non-mandatory information that could have a personal data character: you manage this by yourself.
Your e-mail address is used for communication purposes between forum administrators / moderators and you, and only if you decide in your profile between the other members of the forum and you.
The IP address is collected to facilitate the moderation of the forum, the proper functioning of the forum with the registration of errors encountered for correction, and in case of request by the courts.
The data is kept as long as your account exists and up to 1 year after it is deleted. The error logs are deleted as the corrections are made.
You can delete your account from your profile.
Your account will be deleted after validation of an administrator. Your account and therefore the data attached to it will then be removed from the forum, but your publications will remain online: all your messages will remain online with as an indication your nickname, which is not a personal data, and the guest status. Note that your nickname is by default identical to your username: the username and the nickname can be modified in the parameters of your profile.

In addition, the forum uses cookies.
A cookie can be translated as: connection indicator or marking file.
These are text files containing a small amount of information that is downloaded to your computer equipment when you access or browse a website. They are then returned to the initial domain name when you visit this web page again.
The forum uses 2 cookies: one named PHPSESSID and the other ElkArteCookie213. They both expire at the end of the session and are recreated at each new connection. They simply keep your session open for the time you specify at the time of connection, otherwise by default for 60 minutes. This is ElkArteCookie213 which contains your login / password in order to keep the session open. The exchanges between ElkArteCookie213 and the server are encrypted in order to protect the data at best during the circulation on the networks.
You can refuse these two cookies in the options of your browser but you will be continuously disconnected from the forum since their function is precisely to keep the session open. This is not advised at all since your experience of the forum will be very degraded.

Philippe