General Data Protection Regulation (GDPR, resp. DSGVO)

Are there any features planned regarding GDPR for ZPC?

Comments

  • acrylian Administrator, Developer

    What features do you mean? Zenphoto itself does not collect any data from visitors except the login cookie. It also does not call any scripts from external servers. If any third party plugin or script does this it is out of our responsibility.

    There is a "half official" cookie consent plugin (by me) available you can use.

    All else like what your server collects or what statistics script you use is your responsibility to add a fitting data privacy statement to your site.

  • acrylian Administrator, Developer
    edited January 2018

    I know what that is. So what "feature" do you refer to? As said Zenphoto does not collect personal data except on user accounts or unless you make it do so.

    The only cookie Zenphoto might set for normal users is on dynamic albums. Some info about cookies:
    http://www.zenphoto.org/news/cookies/

  • I am not a lawyer ;)
    But I think that as soon as a user registers himself in ZPC (or it is made by the admin), the website owner collects data.
    Users may write comments in the blog or news, they may upload pictures, comment those or others in the gallery, aso...

  • acrylian Administrator, Developer

    Yes, and there are lots of functions available to list that data.

  • Nordlicht Member
    edited January 2018

    Give me one usable please!

    Imagine you have hundreds of users.
    If you now start with phpmyadmin, csv/excel and what so ever - and these folks start 2 ask 4 their data, and you have 4 weeks time to respond, when are you going 2 do your real work? :D:( Yes, its 4 laughing and crying.

  • acrylian Administrator, Developer
    edited January 2018

    I see what you mean but it's all just PHP and MySQL, see the documentation :-)

    I am not a lawyer but I am not sure if this really applies if these user register themselves on a Zenphoto site. Because they can technically just look themselves what they did.

    I think this is primarily for sites where you don't know what a site stores about you behind the scenes. Online shops or services.

    Zenphoto by itself does not store anything hidden personal unless you use it to do so (currently it may store the IP but in the coming 1.4.15 there is an option to anonymize it). Then you naturally would have to take care about that yourself.

  • Tobias Member

    Now that GDPR has arrived I have to unbury this thread. :smile:

    I have to agree with Nordlicht: There are some points Zenphoto could (and should?) address in regard to GDPR. IANAL, but I think the intention of GDPR could be described as follows:

    • Tell the user what kind of data is stored and what it is used for.
    • Offer the user a way to get a (machine-readable) export of this data.
    • Offer the user a way to delete/request deletion of this data.

    I don't think it's sufficient to simply offer an option (to the end-user?!) to anonymize an IP address. (By the way: Version 1.4.15 still isn't available yet, is it?)

    What could you do about it?

    • Have a data protection declaration telling end users what data is stored and why it is stored (e.g. an in-depth variant of "We are storing your e-mail address to allow you to reset your passwort. We are using cookies on your client to keep you logged in.").
    • Offer a button to export user data from the database to XML in the backend. (This might have to include links to all files uploaded by this user because AFAIU the idea behind this is, that GDPR wants service providers to offer a migration path to their users.)
    • Requests for deletion or data export could be done by a contact form so this is covered by the official contact_form plugin (but maybe a reference to this should be made in the aforementioned declaration and the installation/admin guide).

    Disclaimer: I have spent a major part of my worktime on GDPR in a (large) corporate IT context for the last 6-8 months. I don't want to come across as someone jumping the bandwagon of overly scared and/or hyperactive SOHO/blog admins, but getting your site GDPR-compliant is important and it doesn't need investing huge amounts of time. Data privacy is important!

  • fretzl Administrator, Developer

    Thanks for your concern. We're about to release the next version which has all the bells and whistles to comply with the GDPR.
    Probably later today.

  • acrylian Administrator, Developer
    edited May 2018

    Thanks as fretzl note we are aware of it being in the EU ourselves.

    Most you mentioned lies in the responsbility of each site owner and not ours except for our own site of course. And we do take privacy serious since forever already.

Sign In or Register to comment.