Define what data we do collect #11

Closed
opened 3 years ago by fede · 13 comments
fede commented 3 years ago
Owner

What's the necessary data Disroot required for the operation of the services.

What's the necessary data Disroot required for the operation of the services.
fede added this to the 1.2 milestone 3 years ago
Owner

I don't know.

I don't know.
Owner

I will work on this one probably tomorrow, together with the details on per service basis and submit pull request for review.

I will work on this one probably tomorrow, together with the details on per service basis and submit pull request for review.
Poster
Owner

I'm just guessing, but probably:

  • Registration info like date, username, password, secondary email if any
  • Sessions logs
  • Email logs?
  • Support tickekts info?
I'm just guessing, but probably: - Registration info like date, username, password, secondary email if any - Sessions logs - Email logs? - Support tickekts info?
Owner

Its more of a question of how much do we want to specify and how much do we want to put in the per service part.

I think @antilopa should also specify administration wise what we collect unless of course we make a seperate point out of it.

I havent got time to write as i promissed, but i will try to sit on it asap

Its more of a question of how much do we want to specify and how much do we want to put in the per service part. I think @antilopa should also specify administration wise what we collect unless of course we make a seperate point out of it. I havent got time to write as i promissed, but i will try to sit on it asap
Owner

administration wise we have quite some information of anyone who donates. This information is available to us via paypal/bank etc. We need to think how we want to handle it and if there is a way to reduce that information.

administration wise we have quite some information of anyone who donates. This information is available to us via paypal/bank etc. We need to think how we want to handle it and if there is a way to reduce that information.
Poster
Owner

I'll try to elaborate a bit more on this point later. But for sure, we'll need to add a PP consent check-box in the donations form and a link to the Users' Right section and be sure that our PP text covers the information used for these transactions.

I'll try to elaborate a bit more on this point later. But for sure, we'll need to add a PP consent check-box in the donations form and a link to the Users' Right section and be sure that our PP text covers the information used for these transactions.
Owner

It includes all donations, not only for people who request special perks. Most of the people who donate don't fill in a form. But the in formations comes through third parties, so we just have to figure out how to keep it ourselves. I don't know how to deal with it really, anonymizing al incoming donations is also quite a hassle administratively.

It includes all donations, not only for people who request special perks. Most of the people who donate don't fill in a form. But the in formations comes through third parties, so we just have to figure out how to keep it ourselves. I don't know how to deal with it really, anonymizing al incoming donations is also quite a hassle administratively.
Poster
Owner

I think should be enough adding a notice which explains that donations are processed by third-parties (e.g.Paypal), whose systems we use to take those donations and if the user give them permission to do so, they will share this data (excluding payment details) with Disroot. Any data provided by a supporter is stored on these third-parties servers which, for the purposes of GDPR, are the ‘Data Processors’ and the ‘Data Controllers’.

I think should be enough adding a notice which explains that donations are processed by third-parties (e.g.Paypal), whose systems we use to take those donations and if the user give them permission to do so, they will share this data (excluding payment details) with Disroot. Any data provided by a supporter is stored on these third-parties servers which, for the purposes of GDPR, are the ‘Data Processors’ and the ‘Data Controllers’.
Owner

That is not exactly true, the information is also stored on our accounting software. It is copied from the third party services and that is what we generate our financial overview from.

That is not exactly true, the information is also stored on our accounting software. It is copied from the third party services and that is what we generate our financial overview from.
Poster
Owner

Sure, but that's an administrative aspect, and in that case I think our PP complies with GDPR definitions about NGO data processing. Since I don't know how exactly works our Donations Administration I can only guess we receive very few information such as amount, email or transaction reference related. I'll try to research more on this.

Sure, but that's an administrative aspect, and in that case I think our PP complies with GDPR definitions about NGO data processing. Since I don't know how exactly works our Donations Administration I can only guess we receive very few information such as amount, email or transaction reference related. I'll try to research more on this.
Owner

That depends how you look at. If we get paypal donation all information supplied by paypal we actually recieve. Same with bank. The question is if we use all that info for processing and this is mainly the thing.
I think specifying that depending on user choice of donations, they are in contract with that parties PP. We can say we use <list of things like amount, email, etc> for our internal administration for X amount of time (in accordance to Netherlands Tax regulations).

That depends how you look at. If we get paypal donation all information supplied by paypal we actually recieve. Same with bank. The question is if we use all that info for processing and this is mainly the thing. I think specifying that depending on user choice of donations, they are in contract with that parties PP. We can say we use <list of things like amount, email, etc> for our internal administration for X amount of time (in accordance to Netherlands Tax regulations).
Poster
Owner

I agree with that approach and it was what I'm trying to point out.

I agree with that approach and it was what I'm trying to point out.
Owner

Yes indeed @fede
Ok so for this one action points:

  1. @muppeth creates matrix/list/overview of data collected from logs and other service specific stuff
  2. @antilopa Creates matrix of administrative data processed
Yes indeed @fede Ok so for this one action points: 1. @muppeth creates matrix/list/overview of data collected from logs and other service specific stuff 2. @antilopa Creates matrix of administrative data processed
muppeth closed this issue 3 years ago
Sign in to join this conversation.
No Milestone
No Assignees
4 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.