-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GDPR compliance #175
Comments
Thanks for bringing this up. We are broadly gdpr compliant since the statistics are sufficiently anonymised as to not be identifiable to an individual (and therefore are not covered by the gdpr)
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/what-is-personal-data/what-is-personal-data/
However, our server side processing predates the gdpr and needs to be improved. We can avoid logging any personal information and directly update the package counters from a server process, thus ensuring identifiable data is never actually handled by us at all. Once this is done, I believe that the package management stats are no longer identifying any data subjects and are therefore not covered by the gdpr.
More eyes on my assessment above would be welcome (I am currently travelling so this is posted on the move).
… On 12 Jun 2019, at 22:53, Maxime Dénès ***@***.***> wrote:
Hello,
I like very much the possibility of sorting packages according to popularity: https://opam.ocaml.org/packages/index-popularity.html
However, if I read the source code correctly, this data aggregation is based on server log data collected (I believe) without prior consent from users. Collecting such data is typically seen as legitimate for security and monitoring purposes. I thought that for package popularity measurement, explicit consent was the rule. Is the current OPAM approach known to be GDPR-compliant?
Context: I'd like to implement something similar for Coq packages, but would like to understand the legal implications better.
A pointer to someone I could talk to offline about this would also be great, if more appropriate.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
We no longer keep these server-side logs since ocaml/infrastructure#19, and the relevant statistic sections are no longer published. So marking this as completed! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
I like very much the possibility of sorting packages according to popularity: https://opam.ocaml.org/packages/index-popularity.html
However, if I read the source code correctly, this data aggregation is based on server log data collected (I believe) without prior consent from users. Collecting such data is typically seen as legitimate for security and monitoring purposes. I thought that for package popularity measurement, explicit consent was the rule. Is the current OPAM approach known to be GDPR-compliant?
Context: I'd like to implement something similar for Coq packages, but would like to understand the legal implications better.
A pointer to someone I could talk to offline about this would also be great, if more appropriate.
The text was updated successfully, but these errors were encountered: