So it goes a even a bit further. @mat54: so even if you are an invite only, even if only one of your users resides in a country in the EU (including the UK until they break) you must be in compliance with GDPR.
@Derk-Jan: Not only why you need the data and what the data is, the data has to be encrypted in "flight and at REST" at all times. In flight is easy, SSL. At REST would mean encrypting all the personal data in the database. Trying to define personal data is a moving target. It really depends. There is the standard MediaWiki install which would include at best, a username, optional real name, email address and standard log entries attached to activity. Add extensions such as CheckUser or a SocialProfile the complexity of the personal data starts to grow. Install a new extension, then you have to ask does it increase personal data. Sadly, some of the forum posts, comments and discussions I have seen for other software and website owners talk of GEO blocking EU countries. Tom -----Original Message----- From: MediaWiki-l [mailto:[email protected]] On Behalf Of Derk-Jan Hartman Sent: Wednesday, February 21, 2018 12:18 PM To: MediaWiki announcements and site admin list <[email protected]> Subject: Re: [MediaWiki-l] EU’s GDPR and MediaWiki on only invited users @mat54 The definition of personal information in this law, is wider than you assume most likely. It also includes IP addresses, nicknames, login ids, real names, fingerprints of your browser, etc etc. basically anything that can potentially lead back to the user. The collection of the data in itself is not the problem though. The purpose with which you do so, having permission (by law, process or user consent), and what you do with the data when you no longer need it are the key technical aspects. Added to this, is your ability to tell the user what information you have collected about him, and potentially remove or anonymise that data when requested, are what determine your liability here. And like so often with law aspects, the answer than quickly becomes 'it depends'. For instance, if you can easily remove stuff from the database yourself, because you have the skill and your user base is small enough that this procedure is manageable, then you don't need the software to be able to do that for you. You are still compliant. If you leak all the email addresses and real names of all your users (former and current) of a forum for coaching people with mental illness, then you have a problem (you leaked identifiable (medical) information of users who are no longer part of the coaching program), especially if those people had actively requested you to delete the information you have on them. DJ On Wed, Feb 21, 2018 at 5:23 PM, <[email protected]> wrote: > LS, > > First of all I have no legal background so the solution must be simple > and clear (KIS) > > On my wiki there are only invited users and from them I have not for example > a birthday , address or other personal information. > So in my simple mind I don’t have privacy content. > > But the question remains must I still comply to the new ruling?? > > > > > _______________________________________________ > MediaWiki-l mailing list > To unsubscribe, go to: > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
