GDPR/Table
| Data (Q1.1b) | Processing (Q1.1c) | Ground for processing (Q1.1d) | Issues to solve in Q1.1e |
| Credentials |
C2S: - Stored as long as the account exists - Check user JID against well-known spammer patterns |
Implicit permission (art 6.1b) |
- EULA must contain information about all processing - Only processing needed for performing user request is allowed |
|
User metadata - IP address - Presence, timestamp of last available presence |
C2S: - Stored during connection - Stored with account - Spam detection - Expose presence, last activity to other users |
Implicit permission (art 6.1b) |
- Only processing needed for performing user request is allowed - Doing data mining may trigger art 9.1 |
|
S2S: - handing over to receiving server - storage while receiving server is online |
Implicit permission (art 6.1b within EU, art 49.1b outside EU) |
- Only processing needed for performing user request is allowed - Doing data mining may trigger art 9.1 how to safeguard that on remote server? | |
|
User content - roster content (with names) - bookmarks - offline/MAM history - server-side file storage (http-upload) - PEP |
C2S: - Store roster and bookmarks with account - Store PEP in RAM - Store offline messages until client connects |
Implicit permission (art 6.1b) |
- Only processing needed for performing user request is allowed - Doing data mining may trigger art 9.1 |
|
C2S: - Store MAM and files |
Explicit consent (art 6.1a) | Is explicit consent is part of the MAM XEP? | |
|
C2S: - MAM on MUC |
Interest of third party (other MUC users), (art. 6.1f) | Is a notification/warning about this needed? | |
|
S2S: - handing over to receiving server |
Implicit permission (art 6.1b within EU, art 49.1b outside EU) |
- Only processing needed for performing user request is allowed - Doing data mining may trigger art 9.1 how to safeguard that on remote server? | |
|
S2S: - Storage on remote server with MAM - MAM on MUC |
Interest of third party (remote users), (art. 6.1f) | Is a notification/warning about this needed? | |
| Server logs |
C2S: - minimal: no logs - typical: some days weeks (logrotate), with IP adderesses and message metadata |
Recital 49 | Make limits clear to server operators? |
| Usage of remote components (e.g. roster management, transports) |
S2S: - Handing over metadata - Handing over user consent |
- Roster management: user consent - others: implicit permission (art. 6.1b) |
- Only processing needed for performing user request is allowed - Doing data mining may trigger art 9.1 how to safeguard that on remote server? Can we safeguard that with transports? |
| S2S metadata | Logging in server logs | Not subject to GDPR | |
| Spam detection is NOT covered | |||