Difference between revisions of "GDPR/Table"
(correcting spans) |
|||
| Line 18: | Line 18: | ||
- Only processing needed for performing user request is allowed | - Only processing needed for performing user request is allowed | ||
|- | |- | ||
| | |rowspan="2"| | ||
User metadata | User metadata | ||
| Line 54: | Line 54: | ||
'''how to safeguard that on remote server?''' | '''how to safeguard that on remote server?''' | ||
|- | |- | ||
| | |rowspan="5"| | ||
User content | User content | ||
| Line 149: | Line 149: | ||
| Not subject to GDPR | | Not subject to GDPR | ||
|- | |- | ||
| Spam detection is '''NOT '''covered | |colspan="4"|Spam detection is '''NOT '''covered | ||
|} | |} | ||
Revision as of 10:35, 26 April 2018
| Data (Q1.1b) | Processing (Q1.1c) | Ground for processing (Q1.1d) | Issues to solve in Q1.1e |
| Credentials |
C2S: - Stored as long as the account exists - Check user JID against well-known spammer patterns |
Implicit permission (art 6.1b) |
- EULA must contain information about all processing - Only processing needed for performing user request is allowed |
|
User metadata - IP address - Presence, timestamp of last available presence |
C2S: - Stored during connection - Stored with account - Spam detection - Expose presence, last activity to other users |
Implicit permission (art 6.1b) |
- Only processing needed for performing user request is allowed - Doing data mining may trigger art 9.1 |
|
S2S: - handing over to receiving server - storage while receiving server is online |
Implicit permission (art 6.1b within EU, art 49.1b outside EU) |
- Only processing needed for performing user request is allowed - Doing data mining may trigger art 9.1 how to safeguard that on remote server? | |
|
User content - roster content (with names) - bookmarks - offline/MAM history - server-side file storage (http-upload) - PEP |
C2S: - Store roster and bookmarks with account - Store PEP in RAM - Store offline messages until client connects |
Implicit permission (art 6.1b) |
- Only processing needed for performing user request is allowed - Doing data mining may trigger art 9.1 |
|
C2S: - Store MAM and files |
Explicit consent (art 6.1a) | Is explicit consent is part of the MAM XEP? | |
|
C2S: - MAM on MUC |
Interest of third party (other MUC users), (art. 6.1f) | Is a notification/warning about this needed? | |
|
S2S: - handing over to receiving server |
Implicit permission (art 6.1b within EU, art 49.1b outside EU) |
- Only processing needed for performing user request is allowed - Doing data mining may trigger art 9.1 how to safeguard that on remote server? | |
|
S2S: - Storage on remote server with MAM - MAM on MUC |
Interest of third party (remote users), (art. 6.1f) | Is a notification/warning about this needed? | |
| Server logs |
C2S: - minimal: no logs - typical: some days weeks (logrotate), with IP adderesses and message metadata |
Recital 49 | Make limits clear to server operators? |
| Usage of remote components (e.g. roster management, transports) |
S2S: - Handing over metadata - Handing over user consent |
- Roster management: user consent - others: implicit permission (art. 6.1b) |
- Only processing needed for performing user request is allowed - Doing data mining may trigger art 9.1 how to safeguard that on remote server? Can we safeguard that with transports? |
| S2S metadata | Logging in server logs | Not subject to GDPR | |
| Spam detection is NOT covered | |||