This is a hot topic But I guess, in a lot of senses, we are already good:
But I still think that there are some areas that could be improved. Especially one,
Is there any plan to be able to
import a user between instances.
Or imagine, as a user I want to upgrade from shared instance to dedicated instance, I guess it would be a useful feature, and I think we need that also to be compliant?
As a first step, we could think of just basic information, and then maybe ask each application to have an export/import feature?
What do you think?
Ok, looking at https://apps.nextcloud.com/apps/data_request, it looks like, we already have the export part.
We’ll “just” need the import part. Isn’t this part of GDPR too with the
Right to data portability?
This app will be notify an Admin by email about the request.
Ah ok, and then how does the admin export?
The admin. We have documented, partially, how to do that on our customer portal. As it is complicated and different for each app, we expect admins to contact our support team for help if needed.
For future releases we’re working on making export and import easier, as well as make deletion work more fine-grained. For example, right now, deleting a user doesn’t delete his/her comments on files from other users. It is documented how to do that, but not easy and we’d like to have options for system admins for that in the future.
But that is still many months away, until then our support team is ready to help customers with this.
In general, I question whether running open source software without a support contract is GDPR compliant. You’re supposed to ensure optimal security, for example. In our case, we provide customers with security information ahead of patch releases and other services. If you run a commercial Nextcloud server and it is breached and you have no support contract, I guess your users could try to sue you for not keeping their data safe.
For individuals there is no problem of course. And providers which just serve up a VM or docker image for each customer can simply let them download the entire thing.
Then again, maybe it is fine - the GDPR is complicated and I am not a lawyer. Ask a real lawyer if you have legal GDPR questions!
November 2019, what changed since?
It might be technically complicated but isn’t it at the core of NextCloud values?
I’d like to also point out that being able to migrate users seamlessly between instances is a necessity for Global Scale.