Difference between revisions of "GDPR/Table"

From XMPP WIKI
Jump to navigation Jump to search
(pandoc GDPR-table.odt -t mediawiki)
 
(Update table to discussion 8&9 (last one from memory))
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
{|
{| class="wikitable"
| Data (Q1.1b)
! Data (Q1.1b)
| Processing (Q1.1c)
! Processing (Q1.1c)
| Ground for processing (Q1.1d)
! Ground for processing (Q1.1d)
| Issues to solve in Q1.1e
! Resolution (Q1.1e)
|-
|-
| Credentials
| Credentials
Line 14: Line 14:
| Implicit permission (art 6.1b)
| Implicit permission (art 6.1b)
|
|
- EULA must contain information about '''all''' processing
- Guidlines for server operators


- Only processing needed for performing user request is allowed
- EULA Template
 
- IBR Link to template (EULA XEP)
|-
|-
|
|rowspan="2"|
User metadata
User metadata


Line 35: Line 37:
- Expose presence, last activity to other users
- Expose presence, last activity to other users
| Implicit permission (art 6.1b)
| Implicit permission (art 6.1b)
|
|rowspan="6"|
- Only processing needed for performing user request is allowed
- Guidelines for server operators
 
- Template EULA


- Doing data mining may trigger art 9.1
- EULA XEP
|-
|-
|
|
Line 47: Line 51:
- storage while receiving server is online
- storage while receiving server is online
| Implicit permission (art 6.1b within EU, art 49.1b outside EU)
| Implicit permission (art 6.1b within EU, art 49.1b outside EU)
|
- Only processing needed for performing user request is allowed
- Doing data mining may trigger art 9.1
'''how to safeguard that on remote server?'''
|-
|-
|
|rowspan="5"|
User content
User content


Line 75: Line 73:
- Store offline messages until client connects
- Store offline messages until client connects
| Implicit permission (art 6.1b)
| Implicit permission (art 6.1b)
|
- Only processing needed for performing user request is allowed
- Doing data mining may trigger art 9.1
|-
|
C2S:
- Store MAM and files
| Explicit consent (art 6.1a)
| Is explicit consent is part of the MAM XEP?
|-
|-
|
|
Line 91: Line 78:


- MAM on MUC
- MAM on MUC
| Interest of third party (other MUC users), (art. 6.1f)
| Implicit permission (art 6.1b)
| Is a notification/warning about this needed?
|-
|-
|
|
Line 99: Line 85:
- handing over to receiving server
- handing over to receiving server
| Implicit permission (art 6.1b within EU, art 49.1b outside EU)
| Implicit permission (art 6.1b within EU, art 49.1b outside EU)
|-
|
|
- Only processing needed for performing user request is allowed
S2S:


- Doing data mining may trigger art 9.1
- Storage on remote server with MAM


'''how to safeguard that on remote server?'''
- MAM on MUC
| Implicit permission (art 6.1b)
|-
|-
|
|
S2S:
C2S:
 
- Store MAM and files
| Explicit consent (art 6.1a)
|
 
- Guidelines for server operators


- Storage on remote server with MAM
- Template EULA


- MAM on MUC
- Consent in MAM-XEP
| Interest of third party (remote users), (art. 6.1f)
| Is a notification/warning about this needed?
|-
|-
| Server logs
| Server logs
Line 123: Line 115:
- typical: some days weeks (logrotate), with IP adderesses and message metadata
- typical: some days weeks (logrotate), with IP adderesses and message metadata
| Recital 49
| Recital 49
| Make limits clear to server operators?
|
- Guidelines for server operators
|-
|-
| Usage of remote components (e.g. roster management, transports)
| Usage of remote components (e.g. roster management, transports)
Line 137: Line 130:
- others: implicit permission (art. 6.1b)
- others: implicit permission (art. 6.1b)
|
|
- Only processing needed for performing user request is allowed
- Guidelines for server operators
 
- Doing data mining may trigger art 9.1


'''how to safeguard that on remote server?'''
- Template EULA


Can we safeguard that with transports?
- EULA XEP
|-
|-
| S2S metadata
| S2S metadata
| Logging in server logs
| Logging in server logs
| Not subject to GDPR
|colspan="2" style="text-align: center;"|Not subject to GDPR
|-
|-
| Spam detection is '''NOT '''covered
|colspan="4" style="text-align: center;"|Spam detection is '''NOT '''covered
|}
|}

Latest revision as of 22:00, 29 April 2018

Data (Q1.1b) Processing (Q1.1c) Ground for processing (Q1.1d) Resolution (Q1.1e)
Credentials

C2S:

- Stored as long as the account exists

- Check user JID against well-known spammer patterns

Implicit permission (art 6.1b)

- Guidlines for server operators

- EULA Template

- IBR Link to template (EULA XEP)

User metadata

- IP address

- Presence, timestamp of last available presence

C2S:

- Stored during connection

- Stored with account

- Spam detection

- Expose presence, last activity to other users

Implicit permission (art 6.1b)

- Guidelines for server operators

- Template EULA

- EULA XEP

S2S:

- handing over to receiving server

- storage while receiving server is online

Implicit permission (art 6.1b within EU, art 49.1b outside EU)

User content

- roster content (with names)

- bookmarks

- offline/MAM history

- server-side file storage (http-upload)

- PEP

C2S:

- Store roster and bookmarks with account

- Store PEP in RAM

- Store offline messages until client connects

Implicit permission (art 6.1b)

C2S:

- MAM on MUC

Implicit permission (art 6.1b)

S2S:

- handing over to receiving server

Implicit permission (art 6.1b within EU, art 49.1b outside EU)

S2S:

- Storage on remote server with MAM

- MAM on MUC

Implicit permission (art 6.1b)

C2S:

- Store MAM and files

Explicit consent (art 6.1a)

- Guidelines for server operators

- Template EULA

- Consent in MAM-XEP

Server logs

C2S:

- minimal: no logs

- typical: some days weeks (logrotate), with IP adderesses and message metadata

Recital 49

- Guidelines for server operators

Usage of remote components (e.g. roster management, transports)

S2S:

- Handing over metadata

- Handing over user consent

- Roster management: user consent

- others: implicit permission (art. 6.1b)

- Guidelines for server operators

- Template EULA

- EULA XEP

S2S metadata Logging in server logs Not subject to GDPR
Spam detection is NOT covered