Privacy Policy

[khlr]

The other day I have been taking a glance at the Chrome Web Store to see if we could publish a new version of SAML-tracer anytime soon. I couldn't help but notice that the CWS now enforces the linking of a privacy policy. Without this, it is not possible to publish a new version.

Now one could certainly click through one of the numerous online generators for privacy policies. Sure, sounds easy at first. Nevertheless, it is not unlikely that you will not state things correctly and that the whole structure will become legally vulnerable as a result.

I wonder how you deal with these kind of issues in SimpleSAMLphp? I think that privacy issues and legal matters in general are even more acute with this project than with SAML-tracer. Is SimpleSAMLphp backed by Sikt/UNINETT in this regard? Or SURF (probably not)? However, I couldn't find a privacy policy anywhere in the SimpleSAMLphp project or on the website. Either I'm looking too hard, or there isn't one?!

Anyway. I think with the necessary effort one could also create a (hopefully legally bulletproof) privacy policy for SAML-tracer. It would certainly also be in the users' interest if they could find out what happens to their data (namely nothing; since we don't play fast and loose with it). However, I have concerns about article 13(1a) of the GDPR. This article requires the specific designation of a responsible person ("controller"). Who should be named here in an open source project? If SAML-tracer were the product of some company, it would certainly be a different situation. Hence the question about Sikt/UNINETT: Would it somehow be conceivable to come under their umbrella in this respect?

What do you think about this, @tvdijen , @thijskh , @jaimeperez ?