Navigation

Search

About the GDPR

Posted by CoreISP on Iunie 02, 2018, 09:08:21 p.m.

Dear users,


Many of you had questions about the GDPR and how to comply with this EU law about processing personal data of EU-citizens.
To make things easier for you, our next releases will include multiple features to help you with that. :)

The current list of features we are expecting to add to SMF is as follows:
- Data export, so users may (if you allow them to) export their profile data. (Profile including IP address(-history), posts (optional), personal messages (optional)). In the future, SMF might get an option to restore the basic profile of another site.
- Include unsubscribe links in newsletter emails if you set them to be marketing related (functional emails will remain being sent if someone opts out of marketing emails, depending on notification settings.)
- Opt-in checkbox for marketing emails during registration
- Force users to agree to new registration agreement, keep track of who consented and when they did, and the ability to see who have not agreed (yet).
- We are considering making it possible to show the privacy policy separate from the registration agreement during registration
- Show Privacy Policy link in the footer
- Ability to, when deleting a user/user has requested deletion of their data, check a box to remove IP-history from posts and anonymise their posts; which is to say their user/nickname is automatically changed to something other than what they registered with. Of course you still retain the ability to remove their posts as well. Even though this is not strictly required by GDPR if your policy checks out! (Note that you can already (pseudo-)anonymise their posts by first changing their nick before removing their profile, but we figured it would be nice to automate this in the future.)
- Extra prune functions, like expunging IP history for users as far as (technically) reasonably possible, to limit the amount of personal data you have on record. (Use with care.)

These functions will likely not all be introduced at once and some features will be expanded/improved with later updates.
We are aiming to get the basics introduced first (such as ability to add privacy policy, basic profile export, opt-out function for newsletters and forcing users to agree again to a (changed) registration agreement/privacy policy and log that). More features may be added later. If you think we forgot something, you may also post suggestions here - but please keep in mind that we are limited in time and resources. :) We have decided to implement these features in to SMF itself rather than releasing it as a modification (mod), so when you update SMF: these features will be available to you instantly.

The features will be optional for you to enable/disable, so if you do not want to use or activate them: that is possible.
We have been working hard on this and will release it as soon as possible. Our estimate is a release around the end of this month/begin of July, but please do not consider that a promise. Keep in mind that these tools are to help you with being/becoming GDPR-compliant, only activating them doesn't necessarily make you compliant. We advise you to read up on the laws and obtain legal advice if you are unsure whether or not you are compliant or have to be and what you should put in your privacy policy.


As for our own site, we will post a Privacy Policy soon to make it easier for you to see what we do with the very limited amount of data that you provide us with and information about what your rights are. And of course we will introduce the above features here as well as they will be included in SMF itself. :)

Last but not least, we apologize for the delay in introducing these features. Once we became aware of this new law, we wanted to get to the bottom of it and get some legal advice first. And as we are all volunteers: there are some time constraints as well. We are working very hard on it though and will release the features soon. :)

Thank you!


Kind regards, on behalf of;
- SMF Team
- Simple Machines

Comments

GigaWatt on Iunie 02, 2018, 09:21:00 p.m. said
Will this be included in the Core features section and will it be turned on or off by default?

And with the term "our next release", do you mean the next major update (the 2.1 branch) or the current stable branch (2.0.x)?
CoreISP on Iunie 02, 2018, 09:24:21 p.m. said
Will this be included in the Core features section and will it be turned on or off by default?

Good question on the Core features section, I'll ask the devs. :)
It will be turned off by default as we don't want to impose this on everybody, plus if you enable it you have to take extra actions such as populating your Privacy Policy.

Citat
And with the term "our next release", do you mean the next major update (the 2.1 branch) or the current stable branch (2.0.x)?

Both! :)
But SMF 2.0 gets it first as that's the current stable version and thus what most people are using.
GigaWatt on Iunie 02, 2018, 10:21:09 p.m. said
Than you for the prompt answer ;).
petb on Iunie 04, 2018, 08:41:33 a.m. said
Thank you,
i appreciate that very much.
Rock Lee on Iunie 04, 2018, 07:52:51 p.m. said
Well, little by little, for several communities, it should be applied, although personally I do not really give much importance. Although it is really appreciated as quickly as possible, this new law was acted upon!


Regards!
GravuTrad on Iunie 10, 2018, 05:47:21 p.m. said
Cool news. Thanks for this effort.
Bigguy on Iunie 12, 2018, 06:25:42 p.m. said
Very nice to hear and should be well appreciated by members. :)
Aleksi "Lex" Kilpinen on Iunie 17, 2018, 02:31:35 a.m. said
Will this be included in the Core features section and will it be turned on or off by default?

Good question on the Core features section, I'll ask the devs. :)
It will be turned off by default as we don't want to impose this on everybody, plus if you enable it you have to take extra actions such as populating your Privacy Policy.
As this wasn't yet answered, I'll just mention that it would appear to be the plan for 2.0 to use the Core features section for this. :)
GigaWatt on Iunie 17, 2018, 03:35:22 a.m. said
Well, IMO that was also kind of logical, so that's why I asked ;).
Arantor on Iunie 17, 2018, 05:39:31 a.m. said
Ugh, not Core Features! It actually is a barrier to entry because people don't know it's there half the time.

(This is why it was removed in 2.1)
Aleksi "Lex" Kilpinen on Iunie 17, 2018, 05:48:04 a.m. said
But in context of 2.0 it is only logical to use it.
Illori on Iunie 17, 2018, 05:54:11 a.m. said
But in context of 2.0 it is only logical to use it.

but we dont need to continue to be logical ;) we need to make sure the users can find how to enable the feature and go from there.
Aleksi "Lex" Kilpinen on Iunie 17, 2018, 05:55:22 a.m. said
Granted, that is true as well.
Arantor on Iunie 17, 2018, 06:00:03 a.m. said
So... don't put it in Core Features, add a new menu to the admin panel called Privacy and put all the things in there.

In context of 2.0, burying stuff in Core Features only guarantees people having to ask where to find it.
vbgamer45 on Iunie 17, 2018, 08:13:37 a.m. said
Glad core features is going away that was always odd and agree people never really checked it.
landyvlad on Iulie 08, 2018, 11:17:22 p.m. said
Just did a search on GDPR and found this post - great to know that it's being worked on.
wintstar on August 09, 2018, 03:19:39 a.m. said
alberlast has implemented this well for the upcoming version 2.1. The European Data Protection Act stipulates that data protection is displayed even if the website is in maintenance mode or the website can be accessed even if there are system errors. If the forum is in maintenance mode, privacy cannot be displayed. For this, a possibility would have to be given that the data protection in maintenance mode or system error, where the forum is to be called, is given.
Aleksi "Lex" Kilpinen on August 09, 2018, 03:26:50 a.m. said
Actually no, I really do not think the GDPR requires that, or even could require that. The whole regulation is built on clauses like "unless requiring unproportioned effort or technically impossible"...
wintstar on August 09, 2018, 03:32:35 a.m. said
Actually no, I really do not think the GDPR requires that, or even could require that. The whole regulation is built on clauses like "unless requiring unproportioned effort or technically impossible"...
That is necessary:

Sorry is of german.
https://www.kreativ-web-marketing.com/de/news/meldungen/dsgvo-datenschutz-weisse-webseite.php
Arantor on August 09, 2018, 03:47:22 a.m. said
So if there is a system error that means the privacy policy physically can't be displayed (maintenance mode aside), it's now a GDPR violation. In fact, in almost every single possible circumstance under that, you'd have to display the privacy notice. Even if the site is in hard maintenance where not even admins can log in, you STILL have to display it on almost every webhost ever set up because it still goes into access logs so even though the site isn't accessible, the fact it's been visited at all still counts.

Congratulations, that's the second dumbest thing I've heard yet coming out of the German interpretation of the GDPR, the first being that if patients request their healthcare data to be deleted under RTBF, electronic records must be deleted, while the paper copies (that are fundamentally incomplete, if say, you have cancer where you'll have CTs and treatment plans and all that stuff as 95% of that won't ever make it to paper and even if it did, it wouldn't be especially useful anyway) must be kept for 30 years.

Fortunately the ICO is not quite so asinine about any of this. It's getting increasingly less worth the effort to run a website the way this is going.
Aleksi "Lex" Kilpinen on August 09, 2018, 03:50:35 a.m. said
I still think that must be a misunderstanding, or very very poor local implementation because no such requirement can be seen in the actual GDPR.

EDIT:

As far as I know, this is THE point in GDPR that has been interpreted as the need of a privacy policy available:

Citat
The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

In my understanding, appropriate measures does not mean it has to be available at all cost at all times, it simply means to make it public and clear where you can obtain the information if needed.

Article 13 in itself will not come in to play, if the server is down - because no information is then collected, and the user does not have to be informed of that.
wintstar on August 09, 2018, 04:18:10 a.m. said
...
Congratulations, that's the second dumbest thing I've heard yet coming out of the German interpretation of the GDPR, the first being that if patients request their healthcare data to be deleted under RTBF, electronic records must be deleted, while the paper copies (that are fundamentally incomplete, if say, you have cancer where you'll have CTs and treatment plans and all that stuff as 95% of that won't ever make it to paper and even if it did, it wouldn't be especially useful anyway) must be kept for 30 years.

Fortunately the ICO is not quite so asinine about any of this. It's getting increasingly less worth the effort to run a website the way this is going.
That's not German, that's European crap. And I also see it in such a way, that it is not worthwhile itself in Europe slowly privately a web page to operate.
This DSGVO is actually made to bring even more members to the social networks. The private websites will be broken. But that's not the topic here. The laws are made, then you should also see to implement them as far as possible. alberlast has already solved it.
Aleksi "Lex" Kilpinen on August 09, 2018, 04:32:36 a.m. said
The actual GDPR is EU crap, but each country will have to write it in their own legislation, so if german legislation says what you say it does, then that is german crap, not EU crap, sorry.
Arantor on August 09, 2018, 04:43:34 a.m. said
I have done this, I have spoken at great lengths with the ICO, the U.K. equivalent. And they are not so asinine about it.
Aleksi "Lex" Kilpinen on August 09, 2018, 04:47:51 a.m. said
So far I have yet to see a very extreme approach to this in Finland too, so far the local interpretation seems almost reasonable.
feline on August 09, 2018, 07:18:10 a.m. said
If the Forum in "Maintenace Modus" not Userdate is Handled or Saved, because he can simple not login.
So I think, this can simple ignored ...
Arantor on August 09, 2018, 08:00:51 a.m. said
The user still gets entered into the access log and therefore apparently all the privacy notices have to be shown.
feline on August 09, 2018, 08:41:07 a.m. said
The user still gets entered into the access log and therefore apparently all the privacy notices have to be shown.
Well .. I just have implemented this feature ...
It's very simple to handle that  ;)

In the index.php just before this
return 'InMaintenance';
check if the request the impressum or the gdpr policy  ;)

Easy to handle that ..
petb on Noiembrie 10, 2018, 02:19:44 a.m. said
How far is the matter in the meantime?
Is there any progress to report?
d3vcho(); on Noiembrie 10, 2018, 04:09:55 a.m. said
Our developers are working hard to implement this feature both in 2.0.x and 2.1.x. We'll have to wait a bit more because this is something serious that need to be dicussed and properly implemented but, for everyone's relief, we're much more closer than we were a few months ago.
live627 on Noiembrie 10, 2018, 04:34:49 a.m. said
Properly implementing this takes time. We want to get this right. We must also consider existing installs and how best to not disrupt them.