GDPR/ToS Template

From XMPP WIKI
Revision as of 11:07, 12 March 2023 by Nicfab (talk | contribs)
Jump to navigation Jump to search

This is a WIP and is going to be moved to a git repository.

Privacy Policy

We provide this information for those who consult the XMPP Wiki website. Note that this information applies only to that website and not to other websites the user may consult through links.

When data subjects are in the EEA, it applies the [EU Regulation 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN).

Indeed, according to Article 3(2) of the GDPR, we underline that whether this Mediawiki is installed on the server, not in the EEA, but the service is offered to users in the EEA, it applies.

Article 3

Territorial scope

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Data controller

The data controller is XSF (XMPP Standard Foundation) `{email}`.

What data is collected

We do not collect any personal data.

In case of users login this Mediawiki, the following information is needed to provide the service to you and is stored as long as your account exists:

  • Login credentials are stored in encrypted form and never shared with other parties.
  • Your account identifier (Jabber ID) is only shared with XMPP users and services that you interact with.
  • Your contact list (roster, chatroom bookmarks) is not shared with other parties except when you give explicit permission (XEP-0321: Remote Roster Management).
  • Your availability information (presence) is kept in memory and automatically shared with your contacts and the chatrooms you enter and might be shared with other XMPP services that you are using (e.g. transports). The date and time of your last login are stored alongside your account to identify inactive accounts.
  • The IP address of your registration and of your last login are stored alongside the account. This is required to detect and delete spammer accounts (Art. 6.1f). IP addresses of identified spammer accounts will be shared with other server operators to prevent further abuse.

Each user is responsible for the content they publish.

Who can access the data, and for what activities?

The Wki administrator can access Personally Identifiable Information (PII) also for technical needs.

Server Logs

To ensure proper operation of the service, including network and information security, the server log contain, among other data:

  • Message meta-data (sender, receiver, type of message).
  • Message content of messages automatically flagged as potential spam. These messages might undergo manual review.
  • Connection information, including IP addresses and timestamps.
  • Internal processing information.

The purposes of the processing

When data subjects are in the EEA, it applies the GDPR. Still, the purpose is to provide access to the XMPP Wiki by allowing users to visit the Wiki website and for those who created an account to publish content.

Furthermore, the purposes are also related to server maintenance and system and application upgrades.

The optional, explicit, and voluntary sending of electronic mail to the addresses indicated on the footer of this site involves the acquisition of the sender's address necessary for the replies and any other personal data contained in the message. These data are processed to respond to messages sent and handle related requests. Failure to provide personal data for communications with us or send requests will prevent evading them. We store data for the time strictly necessary for the purposes related to data processing.

Legal basis for the processing

When data subjects are in the EEA, it applies the GDPR. Still, the processing of personal data is based on consent - according to Article 6, par. 1, letter a) of EU Regulation 2016/679 - expressed by the user by browsing this website, choosing the preferences, and submitting queries, thus accepting this information.

Consent is optional, and the user can withdraw at any time by request sent by email to `{maintainer's email}`, specifying that, in this case, whether the user does not consent, they cannot access their Wki accounts, and consult this website.

According to Whereas(49) of the EU Regulation 2016/679, the processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.

Therefore, regarding server maintenance and system and application upgrades, the legal basis is the legitimate interest according to Article 6, letter f) and Whereas(49) of the EU Regulation 2016/679.

The processing of personal data is necessary to pursue the data controller's legitimate interest in providing information about studies and research, according to article 6, par. 1, letter f) of EU Regulation 2016/679, in compliance with the provisions of the same Regulation.

Cookies

The cookies are **functional** (session) and - in case of login - MediaWiki cookies for those users who login. Therefore, for those who visit this website, there are no profiling or tracking activities.

Data recipients

We do not communicate personal data collected from this website following its consultation to recipients or categories of recipients.

Period for storing personal data

This website store personal data as described in the previous section "What data is collected" and "Server Logs" for the time related to the processing.

Transferring personal data to a third country or international organization

When data subjects are in the EEA, it applies the GDPR. Still, where the users are in the EEA, the data controller, the Mediawiki system administrator, does not transfer any personal data outside the European Economic Area (EEA).

Security measures

The Mediawiki maintainer adopts appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of data. Your data in the communication session with this website are protected by a Secure Sockets Layer (SSL) certificate that uses a cryptographic presentation protocol, encrypting the information.

Data subjects' rights

When data subjects are in the EEA, it applies the GDPR. Still, users (data subjects) who login to Mediawiki may exercise the rights according to Articles 15 to 22 of EU Regulation 2016/679. You can lodge all requests to exercise these rights by writing to `{maintainer's email}`.

Right to lodge a complaint for users who are in the EU

When data subjects, it applies the GDPR. Still, whether a data subject considers that the processing of personal data relating to them as performed via this website infringes the Regulation, they have the right to lodge a complaint with the competent Supervisory Authority (Data Protection Authority) according to Article 77 of the EU Regulation 2016/679.