General Data Protection Regulation

[emanuele45]

I just heard about it, so better tracking it here for further review, because it will enter into force in May 2018 and I don't have any idea what it requires, but considering the previous attempts it may be not so easy, fortunately, being a Regulation it means it will apply to entire EU-zone without having to deal anymore with national legislations.

Just the first few results from a search: http://ec.europa.eu/justice/data-protection/ https://en.wikipedia.org/wiki/General_Data_Protection_Regulation https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

[ahrasis]

It is good to read the laws before trying to implement it, or otherwise, you may book yourself for something which is unnecesssary. General Data Protection Regulation states, in paragraph 18, that it:

... does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities. [Emphasis added]

IMHO the laws are not affecting non-commercial forum owners much but rather the server / hosting providers. It should be enough to take care of the basic rights of the registered members, as EA is already currently doing. Of course we can improve and make it better from time to time.

[emanuele45]

Of course good will alone is not enough, I did not read anything during the holidays. :laughing: Oh well, there is still time. :innocent:

[emanuele45]

hmm... I'm not sure about the very last sentence you quoted:

However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.

Isn't the forum owner a controller and a processor giving the means for processing personal data?

[thatnini]

My understanding is that Recital 18 means that GDPR isn't applicable to forum users, but is applicable for most forum owners.

Whilst this link is about DPA rather than GDPR, the ICO have continued to advise this when I was looking into this as a forum owner earlier this year. https://ico.org.uk/media/for-organisations/documents/1600/social-networking-and-online-forums-dpa-guidance.pdf

Basically, if you are just a group of IRL friends and want somewhere to record your activities, then you as a forum owner would be exempt from GDPR as this would fall under recreational purposes.

However, if you have members who come and go; or generate any income ie collect donations to keep servers up and running or from ads; or if the the group would continue to exist if membership changed; or if you have your own set of rules that exists separately from your members, then you are not exempt.

[ahrasis]

I am not against in making ElkArte comply to GDPR as it is a good and right thing to do but don't be too phobiatic about it.

What I was saying four months ago is, an exclusion is an exclusion and I such I think that when the legislators exclude a natural person(s) who is / are processing of personal data in the course of a purely personal or household activity and with no connection to a professional or commercial activity, they really mean not to include him (or them) at all.

In jurisprudence, a natural person is a person (in legal meaning, i.e., one who has its own legal personality) that is an individual human being, as opposed to a legal person, which may be a private (i.e., business entity or non-governmental organization) or public (i.e., government) organization.

So, when they put in the last part of the said exemption clause that it however applies to controllers and processors which provide the means for processing personal data, that should IMO mean other person than the one excluded earlier, like the professional / commercial server / hosting provider(s) or other unnatural person(s).

They also clearly stated, personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities which IMO include processing email addresses, collecting certain funds via ads or donations to maintain the server or the group welfare, registration and membership, in common, legal ways as before.

Social networking is defined by Cambridge (business) dictionary as the activity of sharing information and communicating with groups of people using the internet, especially through websites that are specially designed for this purpose.

The Oxford dictionary defines "online" (sometimes also referenced as "On the Line") as "controlled by or connected to a computer" and as an activity or service which is "available on or performed using the Internet or other computer network"..

I failed to see why in any way this provision should or could be interpreted to include any natural person(s) processing personal data as controllers and processors in the last part after it has been spelled out very clearly the exclusion of the same.

Again, I may be wrong but as I already said "it should be enough to take care of the basic rights of the registered members, as EA is already currently doing [but] of course we can improve and make it better from time to time".

So do what you think is good and the right thing to do as this rule clearly does not apply to individual human(s) who is / are processing of personal data in the course of a purely personal or household activity and with no connection to a professional or commercial activity.

[thatnini]

Completely understand where you are coming from and really want to say that we shouldn't have to comply with GDPR in the same way as unnatural persons do due to our limited resources, but....

Article 4

7. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

8. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

As the definitions of controller and processor include natural person(s), this implies to me that unfortunately it is unlikely forum owners would be automatically exempt as they would probably fall into the last sentence of Recital 18.

It is my understanding that if you, as an individual, run a website/forum/blog as a hobby and you "process" stranger's personal data then you would be considered a controller and/or processor and therefore not likely to be able to use Recital 18 as an exemption from GDPR.

DISCLAIMER: I'm not a lawyer and would recommend people to either speak to their Supervisory Authority eg ICO or to seek legal advice on the best way to proceed.

On another note, I've seen https://techblog.bozho.net/gdpr-practical-guide-developers/ linked to quite a few times for developers to refer to when working out how to develop their product for GDPR. I think a lot of the stuff in the blog post has already been covered in the individual issues though! 👍

[ahrasis]

If it is a professional or commercial activity, then it would not be excluded. Along this I do agree a natural person(s) could be subjected to GDPR but otherwise than what I have stated earlier, I do not.

I stand corrected though I am praciticing laws since 2000 in my country and we are a member of commonwealth countries.