What features do you mean? Zenphoto itself does not collect any data from visitors except the login cookie. It also does not call any scripts from external servers. If any third party plugin or script does this it is out of our responsibility.
There is a "half official" cookie consent plugin (by me) available you can use.
All else like what your server collects or what statistics script you use is your responsibility to add a fitting data privacy statement to your site.
There is a discussion about it:
http://forums.b2evolution.net/general-data-protection-regulation-gdpr-resp-dsgvo-planned
In German:
http://fokus.genba.org/
and
https://www.pcwelt.de/a/5-mythen-ueber-die-eu-datenschutz-grundverordnung,3449029
I know what that is. So what "feature" do you refer to? As said Zenphoto does not collect personal data except on user accounts or unless you make it do so.
The only cookie Zenphoto might set for normal users is on dynamic albums. Some info about cookies:
http://www.zenphoto.org/news/cookies/
Give me one usable please!
Imagine you have hundreds of users.
If you now start with phpmyadmin, csv/excel and what so ever - and these folks start 2 ask 4 their data, and you have 4 weeks time to respond, when are you going 2 do your real work? Yes, its 4 laughing and crying.
I see what you mean but it's all just PHP and MySQL, see the documentation :-)
I am not a lawyer but I am not sure if this really applies if these user register themselves on a Zenphoto site. Because they can technically just look themselves what they did.
I think this is primarily for sites where you don't know what a site stores about you behind the scenes. Online shops or services.
Zenphoto by itself does not store anything hidden personal unless you use it to do so (currently it may store the IP but in the coming 1.4.15 there is an option to anonymize it). Then you naturally would have to take care about that yourself.
Now that GDPR has arrived I have to unbury this thread. mile:
I have to agree with Nordlicht: There are some points Zenphoto could (and should?) address in regard to GDPR. IANAL, but I think the intention of GDPR could be described as follows:
- Tell the user what kind of data is stored and what it is used for.
- Offer the user a way to get a (machine-readable) export of this data.
- Offer the user a way to delete/request deletion of this data.
I don't think it's sufficient to simply offer an option (to the end-user?!) to anonymize an IP address. (By the way: Version 1.4.15 still isn't available yet, is it?)
What could you do about it?
- Have a data protection declaration telling end users what data is stored and why it is stored (e.g. an in-depth variant of "We are storing your e-mail address to allow you to reset your passwort. We are using cookies on your client to keep you logged in.").
- Offer a button to export user data from the database to XML in the backend. (This might have to include links to all files uploaded by this user because AFAIU the idea behind this is, that GDPR wants service providers to offer a migration path to their users.)
- Requests for deletion or data export could be done by a contact form so this is covered by the official contact_form plugin (but maybe a reference to this should be made in the aforementioned declaration and the installation/admin guide).
Disclaimer: I have spent a major part of my worktime on GDPR in a (large) corporate IT context for the last 6-8 months. I don't want to come across as someone jumping the bandwagon of overly scared and/or hyperactive SOHO/blog admins, but getting your site GDPR-compliant is important and it doesn't need investing huge amounts of time. Data privacy is important!
