GDPR/Table

From XMPP WIKI
Revision as of 10:54, 23 April 2018 by Zash (talk | contribs) (pandoc GDPR-table.odt -t mediawiki)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Data (Q1.1b) Processing (Q1.1c) Ground for processing (Q1.1d) Issues to solve in Q1.1e
Credentials

C2S:

- Stored as long as the account exists

- Check user JID against well-known spammer patterns

Implicit permission (art 6.1b)

- EULA must contain information about all processing

- Only processing needed for performing user request is allowed

User metadata

- IP address

- Presence, timestamp of last available presence

C2S:

- Stored during connection

- Stored with account

- Spam detection

- Expose presence, last activity to other users

Implicit permission (art 6.1b)

- Only processing needed for performing user request is allowed

- Doing data mining may trigger art 9.1

S2S:

- handing over to receiving server

- storage while receiving server is online

Implicit permission (art 6.1b within EU, art 49.1b outside EU)

- Only processing needed for performing user request is allowed

- Doing data mining may trigger art 9.1

how to safeguard that on remote server?

User content

- roster content (with names)

- bookmarks

- offline/MAM history

- server-side file storage (http-upload)

- PEP

C2S:

- Store roster and bookmarks with account

- Store PEP in RAM

- Store offline messages until client connects

Implicit permission (art 6.1b)

- Only processing needed for performing user request is allowed

- Doing data mining may trigger art 9.1

C2S:

- Store MAM and files

Explicit consent (art 6.1a) Is explicit consent is part of the MAM XEP?

C2S:

- MAM on MUC

Interest of third party (other MUC users), (art. 6.1f) Is a notification/warning about this needed?

S2S:

- handing over to receiving server

Implicit permission (art 6.1b within EU, art 49.1b outside EU)

- Only processing needed for performing user request is allowed

- Doing data mining may trigger art 9.1

how to safeguard that on remote server?

S2S:

- Storage on remote server with MAM

- MAM on MUC

Interest of third party (remote users), (art. 6.1f) Is a notification/warning about this needed?
Server logs

C2S:

- minimal: no logs

- typical: some days weeks (logrotate), with IP adderesses and message metadata

Recital 49 Make limits clear to server operators?
Usage of remote components (e.g. roster management, transports)

S2S:

- Handing over metadata

- Handing over user consent

- Roster management: user consent

- others: implicit permission (art. 6.1b)

- Only processing needed for performing user request is allowed

- Doing data mining may trigger art 9.1

how to safeguard that on remote server?

Can we safeguard that with transports?

S2S metadata Logging in server logs Not subject to GDPR
Spam detection is NOT covered