Law: DSGVO is coming


as a few of you are hosting providers or provide friends hosting for nextcloud, we should talk about the new Datenschutzgrundverordnung (DSGVO), which will be live at 25 of May 2018 and will hit everybody, who collects or works with user data.

How do you solve the problem to document processing of user data? You can view the whole law in english at:
This law will weigh within the whole EU.

1 Like

Hi, are there some news? Is nextcloud save for this?

IÂŽvenÂŽt heard anything, but I think this could be a greater problem for more people. Perhaps it should be possible to develop a community data safety text, which is automatically installed on a new Nextcloud - like diaspora ships a community TOS text.

1 Like

There should be a few generators that can be used for personal homepages. Perhaps we can do something similar in an app. Are here a few people with legal background who could help? I suppose that programming such an app shouldn’t be that hard (at least if there is a fixed text and you just copy&paste it from elsewhere, nice to have would be a little questionnaire to create individual ones).


Personally I use the generator of e-recht24. IÂŽve bought the agency plan. I can give you access to a generated text, but perhaps you should directly talk to e-recht24 or it-kanzlei munich, if they would like to sponsor a law text to your great open source software?

We written quite a bit about this and our website mentions it a lot, too: in Enlish the law is called GDPR and we blogged about it:

(there are some more blogs on it and a post you can download on

In general, because Nextcloud is self-hosted, you’re not letting any data you put on it out of your sight, so that helps you be GDPR/DSGVO compliant. If you use non-local storage, you could use the server-side encryption to be compliant still.

The Auditing features allow you to ensure nothing happens without being recorded and ready for auditing.

In short, Nextcloud is super safe and honestly the easiest way for a company to be GDPR/DSGVO compliant.

I agree, Nextcloud is a perfect solution to be GDPR/DSGVO compliant, but one thing seems not be implemented: the COOKIE-LAW or ePrivacy directive. For a lot of other web related software (Wordpress, Joomla, 
) there exist plugins - for example this one

Are there any plans to create such an plugin/apps for Nextcloud until 25.05.2018?

Thank you for this great piece of open software!!

1 Like

Hi @BWE apparently (I’m not a lawyer), but if you don’t use 3rd party cookie like google analytic and friends, you don’t need to put such a popup.

Here is how framasoft expalin it in french on their website:

Pourquoi vos sites ne demandent-ils pas le consentement des visiteurs concernant les cookies ?

Framasoft est exemptĂ© du recueil du consentement prĂ©alable des utilisateurs car l’association est en conformitĂ© avec l’article 32-II de la loi du 6 janvier 1978, modifiĂ© par l’ordonnance n°2011-1012 du 24 aoĂ»t 2011 (transposĂ© dans la directive 2009/136/CE).

Nous utilisons en effet un outil (libre !) d’analyse des visites (Piwik) installĂ© et gĂ©rĂ© par nous-mĂȘme — et non par des tiers comme Google Analytics. Nos visiteurs en sont informĂ©s via nos mentions lĂ©gales. Ils ont la capacitĂ© de dĂ©sactiver eux-mĂȘmes le dĂ©pĂŽt de cookie. Par ailleurs, nos statistiques sont anonymisĂ©es, et ne recueillent pas d’informations gĂ©ographiques plus prĂ©cises que le pays.

So even if you use piwik, you don’t have to put a warning about cookie, as long as it is mentionned in your ToS, and users can desactivate this easily.

Hi @pierreozoux thank you! Sounds good to me. I will ask our lawyer the next time i see him. Thx!!

@pierreozoux thank you again! Framasoft referenced an old directive (2009/136/CE). I asked our specialist regardindg GDPR / DSGVO and he said, that it is not relevant if the data is transmitted to a third party. If we store or process user data, we have to inform the user
 The question for me is now: does nextcloud store cookies on the clients and do that cookies contain person related data. If this is the case, a cookie-info has to be provided


Just checked on the cookie, I just see hashes and booleans.
Maybe these hashes represent personal info, but this I don’t know.

I have a concern (question/issue) about the full access to the contacts list for all the Nexctcloud users. In the Contacts list there may be some information that not all Nextcloud users should have access to according to the new law (GDPR in english). I would propose the possibility to define users access to selective parts (or not at all) of the Contacts list.