71
edits
(→S2S:: Remove questions on MUC, they are answered, MUC is not different from other traffic) |
(→Q1.1e Analyse possible consequences: overhauling legal analysis) |
||
Line 121: | Line 121: | ||
==== Q1.1e Analyse possible consequences ==== | ==== Q1.1e Analyse possible consequences ==== | ||
===== | ===== Is the user supplied data of special categories or not? ===== | ||
For the legal status of the processed data it matter a lot if it is of one of the special categories as described in art. 9 or not. (LQ1) | |||
===== | Though most servers do process messages that contain data like that, it is not processing, analogue to the status of pictures. Though it contains such sensitive data, as long as it is not analysed and categorized on those categories, it is not subject to art. 9. | ||
====== limit ====== | |||
As soon as such analysis is done, e.g. for spam filtering, it is not covered any more by the legal framework sketched here. Processing such data for spam filtering for example mus have explicit consent. | |||
===== Legal grounds for processing ===== | |||
Processing is done for the performance of a contract with the data subject (art. 6.1b). The contract (does not have to be an explicit contract) would then be: "to take care of the communication" | |||
Message Archive Management (MAM) is not obvious a service when signing up with a jabber server. So it can not be covered by the same legal ground for processing, it should be off by default and the user should turn it on manually. The ground for processing is here article 9.1a. | |||
'''Q. by Winfried: is this indeed 6.1a or a second 6.1b? By requesting the archiving service, the user has second(ary) service he wants to perform. Art. 6.1a is problematic, because it brings in the permission question as described in art 7.''' | |||
====== limit ====== | |||
Any additional processing, not needed for the contract the data subject is engaged in, is not covered. | |||
===== Data subject rights ===== | |||
The structure of XMPP ensures that all data subject rights are guaranteed, except for the right of deletion and the right to transfer the data. The right of deletion is not implemented in all standards. The right to transfer, though only applicable to data that is processed under art 6.1a, not 6.1b, is also not guaranteed. Two elements would help to ensure the right tot transfer is ensured correctly: a 'download client' and automatic transfer to an other server. | |||
=== Q1.2: What consequences does the GDPR has for the XMPP server operators === | === Q1.2: What consequences does the GDPR has for the XMPP server operators === |
edits