GDPR compliance

[maximedenes]

Hello,

I like very much the possibility of sorting packages according to popularity: https://opam.ocaml.org/packages/index-popularity.html

However, if I read the source code correctly, this data aggregation is based on server log data collected (I believe) without prior consent from users. Collecting such data is typically seen as legitimate for security and monitoring purposes. I thought that for package popularity measurement, explicit consent was the rule. Is the current OPAM approach known to be GDPR-compliant?

Context: I'd like to implement something similar for Coq packages, but would like to understand the legal implications better.

A pointer to someone I could talk to offline about this would also be great, if more appropriate.

[avsm]

Thanks for bringing this up. We are broadly gdpr compliant since the statistics are sufficiently anonymised as to not be identifiable to an individual (and therefore are not covered by the gdpr) https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/what-is-personal-data/what-is-personal-data/ However, our server side processing predates the gdpr and needs to be improved. We can avoid logging any personal information and directly update the package counters from a server process, thus ensuring identifiable data is never actually handled by us at all. Once this is done, I believe that the package management stats are no longer identifying any data subjects and are therefore not covered by the gdpr. More eyes on my assessment above would be welcome (I am currently travelling so this is posted on the move).

…

On 12 Jun 2019, at 22:53, Maxime Dénès ***@***.***> wrote: Hello, I like very much the possibility of sorting packages according to popularity: https://opam.ocaml.org/packages/index-popularity.html However, if I read the source code correctly, this data aggregation is based on server log data collected (I believe) without prior consent from users. Collecting such data is typically seen as legitimate for security and monitoring purposes. I thought that for package popularity measurement, explicit consent was the rule. Is the current OPAM approach known to be GDPR-compliant? Context: I'd like to implement something similar for Coq packages, but would like to understand the legal implications better. A pointer to someone I could talk to offline about this would also be great, if more appropriate. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[avsm]

We no longer keep these server-side logs since ocaml/infrastructure#19, and the relevant statistic sections are no longer published. So marking this as completed!