Difference between revisions of "GDPR/Privacy Policy Template"

From XMPP WIKI
Jump to navigation Jump to search
m
 
Line 2: Line 2:


= Privacy Policy =
= Privacy Policy =
We provide this information for those who consult the XMPP Wiki website. Note that this information applies only to that website and not to other websites the user may consult through links.


<nowiki>{{ date }}</nowiki>
When data subjects are in the EEA, it applies the [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN EU Regulation 2016/679 (GDPR)].


The <nowiki>{{ domain }}</nowiki> service is processing, storing and forwarding personal information about you as follows, in accordance with the EU GDPR. By using the server, you agree with the described processing of your data.
Indeed, according to Article 3(2) of the GDPR, we underline that whether this Mediawiki is installed on the server, not in the EEA, but the service is offered to users in the EEA, it applies.


== Data Processing ==
----


This section describes how the <nowiki>{{ domain }}</nowiki> service processes your personal information internally.
<q>'''Article 3 of the EU Regulation 2016/679'''</q>


=== Information Associated with your Account ===
'''Territorial scope'''


The following information is needed to provide the service to you (Art. 6.1b) and is stored as long as your account exists:
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.


* Login credentials are stored in encrypted form and never shared with other parties.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
* Your account identifier (Jabber ID) is only shared with XMPP users and services that you interact with.
 
* Your contact list (roster, chatroom bookmarks) is not shared with other parties, except when you give explicit permission (XEP-0321: Remote Roster Management).
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
* Your availability information (presence) is kept in memory and automatically shared with your contacts and the chatrooms you enter, and might be shared with other XMPP services that you are using (e.g. transports). The date and time of your last login is stored alongside your account to identify inactive accounts.
 
* The IP address of your registration and of your last login are stored alongside the account. This is required to detect and delete spammer accounts (Art. 6.1f). IP addresses of identified spammer accounts will be shared with other server operators to prevent further abuse.
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.


== User Content ==
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.


Content that you send or that is sent to you, is stored on your behalf, so that you can access it from all of your clients (Art. 6.1b):
----


* Messages sent to you while you are offline are stored until you connect or your account is deleted.
* Message archives of the messages you send and receive are stored for 14 days, if you have enabled XEP-0313: Message Archive Management.
* Uploaded files are stored for 30 days (some clients cache messages, but not files, so those are kept for a longer time).
* Chatroom history is stored according to the configuration of the respective chatroom, and might be made public by other participants.
* Your public profile information (vCard) and avatar image is stored alongside the account and can be queried by users who know your Jabber ID.


== Server Logs ==
== Data controller ==


To ensure proper operation of the service, including network and information security, server logs are stored for 14 days (Recital 49 of the EU GDPR). The server log contain, among other data:
The data controller is XSF (XMPP Standard Foundation) `{email}`.  


* Message meta-data (sender, receiver, type of message).
== What data is collected ==
* Message content of messages automatically flagged as potential spam. These messages might undergo manual review.
We do not collect any personal data.
* Connection information, including IP addresses and timestamps.
* Internal processing information.


== Data Sharing ==
In case of users login this Mediawiki, the following information is needed to provide the service to you and is stored as long as your account exists:


The main goal of the XMPP network is to get your messages to your contacts, and vice versa. To achieve that, data and meta-data is transmitted to the servers of the respective users, as far as this is required to deliver the messages (Art. 6.1b).
* Login credentials are stored in encrypted form and never shared with other parties.
* Your account identifier (Jabber ID) is only shared with XMPP users and services that you interact with.
* Your contact list (roster, chatroom bookmarks) is not shared with other parties except when you give explicit permission (XEP-0321: Remote Roster Management).
* Your availability information (presence) is kept in memory and automatically shared with your contacts and the chatrooms you enter and might be shared with other XMPP services that you are using (e.g. transports). The date and time of your last login are stored alongside your account to identify inactive accounts.
* The IP address of your registration and of your last login are stored alongside the account. This is required to detect and delete spammer accounts. IP addresses of identified spammer accounts will be shared with other server operators to prevent further abuse.


=== Other XMPP Services ===
'''Each user is responsible for the content they publish.'''


Content that you send to other servers is subject to their respective data protection policies. The processing on these servers might not be covered by the high data protection standards you expect, especially if the servers are located outside of the EU (Art. 49.1b).
== Who can access the data, and for what activities? ==
The Wki administrator can access Personally Identifiable Information (PII) also for technical needs.


=== Your Online Status ===
=== Server Logs ===


If you join chatrooms or add other users to your contact list, those users (and the operators of their servers) will be automatically informed about:
To ensure proper operation of the service, including network and information security, the server log contain, among other data:


* When you come online,
* Message meta-data (sender, receiver, type of message).
* when you go offline, and
* Message content of messages automatically flagged as potential spam. These messages might undergo manual review.
* your availability status and message.
* Connection information, including IP addresses and timestamps.
* Internal processing information.


You can opt out from this by unsubscribing these contacts from your contact list.
== The purposes of the processing ==
When data subjects are in the EEA, it applies the GDPR. Still, the purpose is to provide access to the XMPP Wiki by allowing users to visit the Wiki website and for those who created an account to publish content.


=== Your Public Profile ===
Furthermore, the purposes are also related to server maintenance and system and application upgrades.


Your public profile information (vCard) and avatar image can be queried by users who know your Jabber ID.
The optional, explicit, and voluntary sending of electronic mail to the addresses indicated on the footer of this site involves the acquisition of the sender's address necessary for the replies and any other personal data contained in the message. These data are processed to respond to messages sent and handle related requests. Failure to provide personal data for communications with us or send requests will prevent evading them. We store data for the time strictly necessary for the purposes related to data processing.  


=== Push Services ===
== Legal basis for the processing ==
When data subjects are in the EEA, it applies the GDPR. Still, the processing of personal data is based on consent - according to Article 6, par. 1, letter a) of EU Regulation 2016/679 - expressed by the user by browsing this website, choosing the preferences, and submitting queries, thus accepting this information.


If you enable push notifications (e.g. on a mobile client), the data that is required to perform the push notification (typically a device ID and message meta data) is transmitted to the respective push service provider (Art. 6.1b, Art. 49.1b). This processing is subject to the data protection policies of the respective provider.
Consent is optional, and the user can withdraw at any time by request sent by email to `{maintainer's email}`, specifying that, in this case, whether the user does not consent, they cannot access their Wki accounts, and consult this website.


== Rectification and Erasure ==
According to Whereas(49) of the EU Regulation 2016/679, the processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.


You can access, change and delete the following information stored about you with a compliant XMPP client, after logging in with your Jabber ID:
Therefore, regarding server maintenance and system and application upgrades, the legal basis is the legitimate interest according to Article 6, letter f) and Whereas(49) of the EU Regulation 2016/679.


* your contact list and chatroom bookmarks
The processing of personal data is necessary to pursue the data controller's legitimate interest in providing information about studies and research, according to article 6, par. 1, letter f) of EU Regulation 2016/679, in compliance with the provisions of the same Regulation.
* your vCard and avatar
* your offline messages
* your message archives


For all other kinds of personal data processed by the <nowiki>{{ domain }}</nowiki> service, please contact the representative below.
== Cookies ==
The cookies are **functional** (session) and - in case of login - MediaWiki cookies for those users who login.
Therefore, for those who visit this website, there are no profiling or tracking activities.


To obtain information about data processed and stored on other XMPP services, please contact their respective representative.
== Data recipients ==
We do not communicate personal data collected from this website following its consultation to recipients or categories of recipients.  


== Representative ==
== Period for storing personal data ==
This website store personal data as described in the previous section "What data is collected" and "Server Logs" for the time related to the processing.


The representative for all purposes of data protection is:
== Transferring personal data to a third country or international organization ==
When data subjects are in the EEA, it applies the GDPR. Still, where the users are in the EEA, the data controller, the Mediawiki system administrator, does not transfer any personal data outside the European Economic Area (EEA).


<nowiki>{{ contact_details }}</nowiki>
== Security measures ==
The Mediawiki maintainer adopts appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of data. Your data in the communication session with this website are protected by a Secure Sockets Layer (SSL) certificate that uses a cryptographic presentation protocol, encrypting the information.


You need to identify as the holder of a given Jabber ID to obtain any information about it.
== Data subjects' rights ==
When data subjects are in the EEA, it applies the GDPR. Still, users (data subjects) who login to Mediawiki may exercise the rights according to Articles 15 to 22 of EU Regulation 2016/679. You can lodge all requests to exercise these rights by writing to `{maintainer's email}`.


If you deem the conditions of this service as unacceptable, or have other concern, you have the right to complain to a <nowiki>{{ Data_Protection_Authority }}</nowiki>.
== Right to lodge a complaint for users who are in the EU ==
When data subjects, it applies the GDPR. Still, whether a data subject considers that the processing of personal data relating to them as performed via this website infringes the Regulation, they have the right to lodge a complaint with the competent Supervisory Authority (Data Protection Authority) according to Article 77 of the EU Regulation 2016/679.

Latest revision as of 11:15, 12 March 2023

This is a WIP and is going to be moved to a git repository.

Privacy Policy

We provide this information for those who consult the XMPP Wiki website. Note that this information applies only to that website and not to other websites the user may consult through links.

When data subjects are in the EEA, it applies the EU Regulation 2016/679 (GDPR).

Indeed, according to Article 3(2) of the GDPR, we underline that whether this Mediawiki is installed on the server, not in the EEA, but the service is offered to users in the EEA, it applies.


Article 3 of the EU Regulation 2016/679

Territorial scope

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.



Data controller

The data controller is XSF (XMPP Standard Foundation) `{email}`.

What data is collected

We do not collect any personal data.

In case of users login this Mediawiki, the following information is needed to provide the service to you and is stored as long as your account exists:

  • Login credentials are stored in encrypted form and never shared with other parties.
  • Your account identifier (Jabber ID) is only shared with XMPP users and services that you interact with.
  • Your contact list (roster, chatroom bookmarks) is not shared with other parties except when you give explicit permission (XEP-0321: Remote Roster Management).
  • Your availability information (presence) is kept in memory and automatically shared with your contacts and the chatrooms you enter and might be shared with other XMPP services that you are using (e.g. transports). The date and time of your last login are stored alongside your account to identify inactive accounts.
  • The IP address of your registration and of your last login are stored alongside the account. This is required to detect and delete spammer accounts. IP addresses of identified spammer accounts will be shared with other server operators to prevent further abuse.

Each user is responsible for the content they publish.

Who can access the data, and for what activities?

The Wki administrator can access Personally Identifiable Information (PII) also for technical needs.

Server Logs

To ensure proper operation of the service, including network and information security, the server log contain, among other data:

  • Message meta-data (sender, receiver, type of message).
  • Message content of messages automatically flagged as potential spam. These messages might undergo manual review.
  • Connection information, including IP addresses and timestamps.
  • Internal processing information.

The purposes of the processing

When data subjects are in the EEA, it applies the GDPR. Still, the purpose is to provide access to the XMPP Wiki by allowing users to visit the Wiki website and for those who created an account to publish content.

Furthermore, the purposes are also related to server maintenance and system and application upgrades.

The optional, explicit, and voluntary sending of electronic mail to the addresses indicated on the footer of this site involves the acquisition of the sender's address necessary for the replies and any other personal data contained in the message. These data are processed to respond to messages sent and handle related requests. Failure to provide personal data for communications with us or send requests will prevent evading them. We store data for the time strictly necessary for the purposes related to data processing.

Legal basis for the processing

When data subjects are in the EEA, it applies the GDPR. Still, the processing of personal data is based on consent - according to Article 6, par. 1, letter a) of EU Regulation 2016/679 - expressed by the user by browsing this website, choosing the preferences, and submitting queries, thus accepting this information.

Consent is optional, and the user can withdraw at any time by request sent by email to `{maintainer's email}`, specifying that, in this case, whether the user does not consent, they cannot access their Wki accounts, and consult this website.

According to Whereas(49) of the EU Regulation 2016/679, the processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.

Therefore, regarding server maintenance and system and application upgrades, the legal basis is the legitimate interest according to Article 6, letter f) and Whereas(49) of the EU Regulation 2016/679.

The processing of personal data is necessary to pursue the data controller's legitimate interest in providing information about studies and research, according to article 6, par. 1, letter f) of EU Regulation 2016/679, in compliance with the provisions of the same Regulation.

Cookies

The cookies are **functional** (session) and - in case of login - MediaWiki cookies for those users who login. Therefore, for those who visit this website, there are no profiling or tracking activities.

Data recipients

We do not communicate personal data collected from this website following its consultation to recipients or categories of recipients.

Period for storing personal data

This website store personal data as described in the previous section "What data is collected" and "Server Logs" for the time related to the processing.

Transferring personal data to a third country or international organization

When data subjects are in the EEA, it applies the GDPR. Still, where the users are in the EEA, the data controller, the Mediawiki system administrator, does not transfer any personal data outside the European Economic Area (EEA).

Security measures

The Mediawiki maintainer adopts appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of data. Your data in the communication session with this website are protected by a Secure Sockets Layer (SSL) certificate that uses a cryptographic presentation protocol, encrypting the information.

Data subjects' rights

When data subjects are in the EEA, it applies the GDPR. Still, users (data subjects) who login to Mediawiki may exercise the rights according to Articles 15 to 22 of EU Regulation 2016/679. You can lodge all requests to exercise these rights by writing to `{maintainer's email}`.

Right to lodge a complaint for users who are in the EU

When data subjects, it applies the GDPR. Still, whether a data subject considers that the processing of personal data relating to them as performed via this website infringes the Regulation, they have the right to lodge a complaint with the competent Supervisory Authority (Data Protection Authority) according to Article 77 of the EU Regulation 2016/679.