GDPR - consent

General Discussion

Suggested Topics

  • 1 Votes
    3 Posts

    Well, there are language files in /public/language. The GDPR text is, as far as I remember, sourced from a few of these entries (the language files are JSON files with a prase identifier, and translation). So if you want to change the wording, you would have to modify these files in your clone of the repo.

    Not sure if this is the "best way" since they might be overwritten when you pull the next version (could someone with more knowlede than me confirm this?) but that's a git issue that you should be able to handle once you get to updating.

    For example, I see three entries in the file "/public/language/en-US/register.json" that start with "gdpr_". There are probably others but this is a good place to start. Just search those language files for the exact wording.

    Also note that to chnag eit you would have to change all of the languages, but if english only is enough for you, that is easier.

  • 0 Votes
    1 Posts


    how to manage data for existing users who did not give consent? We had to remove all of their post?
    In my case there are many users that aren't active anymore but wrote a lot of interesting messages. Removing their post would be disastrous.


  • About GDPR email sending

    General Discussion
    0 Votes
    3 Posts

    @julian said in About GDPR email sending:

    It is safe to assume that if a user explicitly set their user digest setting, then they can consider having opted into the email.

    For those users that have not set any setting explicitly, you can change the default in the ACP, and that value will propagate to those users as well. So you'll probably want to disable the email digest for default users.

    I will try that for now
    Problem with the new law is that users need to re-confirm his preferences and if they dont confirm it should be disabled

  • 0 Votes
    13 Posts

    Thanks @Juan-G -- I wanted to say as such to @frgilb but could not find the appropriate clauses 😄

    Here are some additional clauses (thanks @Jay-Moonah for looking into this earlier this week):

    “Processing shall be lawful only if and to the extent that at least one of the following applies: […] (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

    -- Article 6, Paragraph 1, Point F

    “The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, […] by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”

    -- Recital 49 (excerpt)

    That said, where IP address is used in a fashion that isn't exposed to anyone of significance (regular users or admins), then I see no reason to utilise the IP, keep it for any lengthy period of time, or at least secure it properly.

    To that end, please see gh#6539 (attached) to see how I've addressed the first point.

    I would argue that the storage of IP addresses per user (via User.logIP()) is required in order to prevent unauthorized access or cyber-attacks, although I use that term fairly loosely. I've identified the following use cases:

    Admin approval for registration (if an IP is already associated with a uid) -- useful for combating sockpuppetry Get similar uids during admin approval stage -- again, sockpuppetry-mitigation Search by IP -- used by moderators to find existing sockpuppets.

    With GDPR consent required for all users, this is no longer an issue as they would be consenting to their storage of IP addresses for this purpose, and we do delete on user deletion, so this satisfies the "Right to be Forgotten".

  • 0 Votes
    18 Posts

    Cool, thanks 🙂