[MediaWiki-l] GDPR and contracts

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[MediaWiki-l] GDPR and contracts

"Thomas Uwe Grüttmüller"
Hello all,
I’d like to bring up a new aspect into the GDPR debate: From what I’ve
heard, the rules about personal data are less strict when the data is
stored and processed in order to fulfil a contract. For example, in this
case, deletion requests would be void. Now many wikis demand in their
TOS that all contributions are licensed under a specific license (e.g.
CC-BY-SA), and that license is indeed a contract.

Greetings,
   Thomas

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: GDPR and contracts

Derk-Jan Hartman
> From what I’ve heard, the rules about personal data are less strict when
the data is stored and processed in order to fulfil a contract.

Less strict is not a good description. GDPR has many restrictions on how
you collect and handle personal data. It however also has many reasons why
you are legitimately allowed to deal with personal data. Added to that are
the rights of the consumer (or rather EU citizens). GDPR is an interplay
that balances these 3 things and it does so (as often with law,
intentionally) a bit vaguely at times.

The following allows you to collect a persons information:
1: Consent
2: Vital interests (ambulance, hospital etc)
3: Legal requirement (government tells you to collect it)
4: Contracts (Delivery address when you buy something online, or likely
indeed copyright licensing something for public [re]use)
5: Public good (police)
6: Justifiable interests (personnel administration, without which your
company cannot function)

And these can overlap. Your requirements about how you are supposed to
handle this personal data don't really differ greatly based upon these,
however the rights that the user has MIGHT be influenced. For instance you
can imagine that it is not realistic you demand that your name is removed
from the personnel administration of your company (esp while you work
there). That would be highly non-practical ;) Similarly, it likely doesn't
need permission to disclose your name to all your fellow employees.
Disclosing your birthdate to all your fellow employees might require the
employee's consent however as that is not likely to be critical to how you
operate your business.
We can also see this vagueness and graduality at play in recent Right to be
forgotten cases where ppl asked to be removed from Google results. The
courts made a difference between repeat offenders (not removed) and a one
time offender who showed remorse (removed). Same principles in EU law for
both, yet different results. See also:
https://www.nytimes.com/2018/05/07/opinion/google-right-to-be-forgotten-first-amendment.html

What you should be doing is to create in index of the types of personal
data that you collect, and build an argumentation / justification as to why
you collect it, why you store it, how long, how technically and why/how
rights of users might (not) apply etc. If you document that (Privacy Impact
Assessment), actually do as you preach, you are transparent and are
generally responsive to consumer requests, there it is unlikely you will
get into trouble more than like an admonishment or something. That is
because as a company, it is not about fully complying to every letter of
GDPR, it's about "How well does your story add up". You have to rly F'up
before they will fine you 4% of your yearly revenue.

I advise everyone dealing with this to read the GDPR. I personally use
https://gdpr-info.eu, which is a website by a consulting firm, but it is a
nice interface that allows you to search and easily browse the specific law.

If you are Dutch, the Autoriteit Persoonsgegevens has created a very
understandable "In a nutshell" document is a good place to start as well.
https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/avg_in_een_notendop.pdf

Just remember that whenever you see something that is "required by GDPR",
that this is likely in one branch of the GDPR tree. There might be
exceptions/other branches. There is not one universally applicable truth to
GDPR.

DJ
All of this again not legal advise, get a proper lawyer and/or data
protection officer  ;)


On Tue, May 29, 2018 at 6:09 AM Thomas U. Grüttmüller <[hidden email]>
wrote:

> Hello all,
> I’d like to bring up a new aspect into the GDPR debate: From what I’ve
> heard, the rules about personal data are less strict when the data is
> stored and processed in order to fulfil a contract. For example, in this
> case, deletion requests would be void. Now many wikis demand in their
> TOS that all contributions are licensed under a specific license (e.g.
> CC-BY-SA), and that license is indeed a contract.
>
> Greetings,
>    Thomas
>
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l