I'm trying to formulate a privacy policy for those of us who are neither lawyers nor an organization large enough to hire any, but do care about privacy. I need the privacy policy to conform to my country's privacy laws.
This task is similar to adopting it to the EU's General Data Protection Regulation (GDPR). This law won't come into force quite yet, but I'm sure quite a few Discourse administrators will need to adopt their privacy policy to it anyways. Therefore I'm creating this topic about the questions concerning this. Be aware that I'm not an expert. My comments consist mainly of assumptions and questions.
There have been topics with similar questions, but I haven't found any answers
https://meta.discourse.org/t/default-ip-log-retention-time/42135
https://meta.discourse.org/t/faq-privacy-policy-for-non-english-discourse/19412
https://meta.discourse.org/t/data-retention-policy-implementation/38470
(As a new user my link count per post is restricted.)
The most relevant parts of the law are Article 12–13 (beginning on page one in [this]http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FUL PDF document; more easily accessable on this web page). I don't think Article 14 applies.
Article 12 states, among other things, that information all information related to the Privacy Policy should be in “in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.”
Article 13 is about “Information to be provided where personal data are collected from the data subject”. It states:
- Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
(a) the identity and the contact details of the controller and, where applicable, of the controller's representative;
That would the the administrator.
(b) the contact details of the data protection officer, where applicable;
Usually not applicable.
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
As to the purpose, basically what the section [What do we use your information for?]https://meta.discourse.org/privacy#use in the Discourse Privacy Policy says. The legal basis would be the GDPR.
(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
Processing is mainly based on Article 6(1) point (f), but point (a): consent of the data subject. I guess the logging the IP addresses of visitors serves a legitimate interest of the controller; but I don't know about storing cookies on the data subject's computer.
(e) the recipients or categories of recipients of the personal data, if any;
None, assuming one does not use Google Analytics.
(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;
Ok, let's just pretend the data stays in the EU.
- In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
The Discourse Privacy Policy states:
We will make a good faith effort to:
- Retain server logs containing the IP address of all requests to this server no more than 90 days.
- Retain the IP addresses associated with registered users and their posts no more than 5 years.
First of all, I don't think a good faith effort is good enough. Secondly and asking as an administrator, what piece(es) of software actually keeps the server logs when Discourse is set up with Docker? Discourse itself only logs the IP addresses of registered visitors, right? As to the IP addresses of registered users, are these logged for visits only? Then it should not be too hard to anonymize them by deleting the last byte after a set amount of time.
(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
Eh...?
(c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
So a data subject can have all his or her data deleted if requested?
(d) the right to lodge a complaint with a supervisory authority;
(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
Standard phrasings will pop up in time.
(f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
I don't think this applies to Discourse.
