Law: DSGVO is coming

yoursql719 · September 6, 2017, 9:05am

Hi,

as a few of you are hosting providers or provide friends hosting for nextcloud, we should talk about the new Datenschutzgrundverordnung (DSGVO), which will be live at 25 of May 2018 and will hit everybody, who collects or works with user data.

How do you solve the problem to document processing of user data? You can view the whole law in english at: https://www.datenschutz-grundverordnung.eu/wp-content/uploads/2016/04/CONSIL_ST_5419_2016_INIT_EN_TXT.pdf
This law will weigh within the whole EU.

skruffes · February 23, 2018, 11:05am

Hi, are there some news? Is nextcloud save for this?

yoursql719 · February 26, 2018, 5:26pm

I´ven´t heard anything, but I think this could be a greater problem for more people. Perhaps it should be possible to develop a community data safety text, which is automatically installed on a new Nextcloud - like diaspora ships a community TOS text.

tflidd · February 26, 2018, 6:15pm

There should be a few generators that can be used for personal homepages. Perhaps we can do something similar in an app. Are here a few people with legal background who could help? I suppose that programming such an app shouldn’t be that hard (at least if there is a fixed text and you just copy&paste it from elsewhere, nice to have would be a little questionnaire to create individual ones).

@jospoortvliet

yoursql719 · February 26, 2018, 6:28pm

Personally I use the generator of e-recht24. I´ve bought the agency plan. I can give you access to a generated text, but perhaps you should directly talk to e-recht24 or it-kanzlei munich, if they would like to sponsor a law text to your great open source software?

jospoortvliet · March 6, 2018, 9:43am

We written quite a bit about this and our website mentions it a lot, too: in Enlish the law is called GDPR and we blogged about it:

(there are some more blogs on it and a post you can download on https://nextcloud.com/whitepapers)

In general, because Nextcloud is self-hosted, you’re not letting any data you put on it out of your sight, so that helps you be GDPR/DSGVO compliant. If you use non-local storage, you could use the server-side encryption to be compliant still.

The Auditing features allow you to ensure nothing happens without being recorded and ready for auditing.

In short, Nextcloud is super safe and honestly the easiest way for a company to be GDPR/DSGVO compliant.

BWE · March 26, 2018, 10:35pm

Hi!
I agree, Nextcloud is a perfect solution to be GDPR/DSGVO compliant, but one thing seems not be implemented: the COOKIE-LAW http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm or ePrivacy directive. For a lot of other web related software (Wordpress, Joomla, …) there exist plugins - for example this one https://de.wordpress.org/plugins/eu-cookie-law/

Are there any plans to create such an plugin/apps for Nextcloud until 25.05.2018?

Thank you for this great piece of open software!!

pierreozoux · March 27, 2018, 8:03am

Hi @BWE apparently (I’m not a lawyer), but if you don’t use 3rd party cookie like google analytic and friends, you don’t need to put such a popup.

Here is how framasoft expalin it in french on their website:

Pourquoi vos sites ne demandent-ils pas le consentement des visiteurs concernant les cookies ?

Framasoft est exempté du recueil du consentement préalable des utilisateurs car l’association est en conformité avec l’article 32-II de la loi du 6 janvier 1978, modifié par l’ordonnance n°2011-1012 du 24 août 2011 (transposé dans la directive 2009/136/CE).

Nous utilisons en effet un outil (libre !) d’analyse des visites (Piwik) installé et géré par nous-même — et non par des tiers comme Google Analytics. Nos visiteurs en sont informés via nos mentions légales. Ils ont la capacité de désactiver eux-mêmes le dépôt de cookie. Par ailleurs, nos statistiques sont anonymisées, et ne recueillent pas d’informations géographiques plus précises que le pays.

So even if you use piwik, you don’t have to put a warning about cookie, as long as it is mentionned in your ToS, and users can desactivate this easily.

BWE · March 27, 2018, 10:42am

pierreozoux:

Pourquoi vos sites ne demandent-ils pas le consentement des visiteurs concernant les cookies ?

Framasoft est exempté du recueil du consentement préalable des utilisateurs car l’association est en conformité avec l’article 32-II de la loi du 6 janvier 1978, modifié par l’ordonnance n°2011-1012 du 24 août 2011 (transposé dans la directive 2009/136/CE).

Nous utilisons en effet un outil (libre !) d’analyse des visites (Piwik) installé et géré par nous-même — et non par des tiers comme Google Analytics. Nos visiteurs en sont informés via nos mentions légales. Ils ont la capacité de désactiver eux-mêmes le dépôt de cookie. Par ailleurs, nos statistiques sont anonymisées, et ne recueillent pas d’informations géographiques plus précises que le pays.

Hi @pierreozoux thank you! Sounds good to me. I will ask our lawyer the next time i see him. Thx!!

BWE · March 29, 2018, 3:18pm

@pierreozoux thank you again! Framasoft referenced an old directive (2009/136/CE). I asked our specialist regardindg GDPR / DSGVO and he said, that it is not relevant if the data is transmitted to a third party. If we store or process user data, we have to inform the user… The question for me is now: does nextcloud store cookies on the clients and do that cookies contain person related data. If this is the case, a cookie-info has to be provided…

pierreozoux · March 29, 2018, 4:01pm

Just checked on the cookie, I just see hashes and booleans.
Maybe these hashes represent personal info, but this I don’t know.

rollanders · March 31, 2018, 7:42am

I have a concern (question/issue) about the full access to the contacts list for all the Nexctcloud users. In the Contacts list there may be some information that not all Nextcloud users should have access to according to the new law (GDPR in english). I would propose the possibility to define users access to selective parts (or not at all) of the Contacts list.