On Sat, May 12, 2018 at 01:06:15AM +0900, Stephen J. Turnbull wrote: > I hate to disagree with everybody, but ... > > We need to get an articulare European lawyer, or at least find someone > who has studied the subject. I don't know the credentials of anyone > who has posted on this list, so I would be careful. There was a post > a few months back listing a bunch of stuff that person claimed we > needed to support for our users (ie, list owners) to be able to > conform to GDPR. (Sorry, on a plane right now, search is painful.) > I have no idea if that person was clueful, but I suspect he was a > privacy activist and so would be biased toward stringent > interpretation. Still that post is where I'd start. > > On the FUD end of the spectrum, there are claims that the IPs in your > webserver log are subject to redaction on request. There are > counterclaims that that is FUD. ;-)
[ first: IANAL ] It is FUD. Yes, you could argue that an IP address is a form of 'personal information' (PI), in that it might identify someone. But you are allowed to keep such information for the purposes of debugging server problems, tracking down attempted break ins, etc. So you can keep the logs for a reasonable time to allow you to do that. How long: the default log recycling times (eg a few weeks to a couple of months) would be reasonable. Some have suggested 2 days - but it is easy to justify that that is not long enough since many problems do not become known for some time. One confusion is that the GDPR does not prevent you keeping PI (eg as above), but there are strictures on *processing* it, eg with the purpose of sending spam. *processing* it to trace a break in would be allowed - you are not seeking to identify or act on the individual -- unless s/he was the reprobate who attacked your machine. A huge number of organisations are now seeking reaffirmation that you want to receive email from them, this is because they do not have adequate documentation that you want to receive email. My view is that the mailman log files show when a user requested to join a mail list (eg the subscribe file); if they asked to be subscribed and someone else did it, then the email/signup-form should be kept. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ > I don't know the credentials of > either claimant. It is my understanding that you may need to remove > posts from archives on request. AFAIK neither Mailman 2 nor Mailman 3 > supports that in the sense of making it possible to do it without > editing the archives by hand (and in Mailman 2's case, rebuilding the > archives), which requires login access to the host. There is a right to be forgotten https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/ > There are also claims that if you don't profit from the data stored in > your host's records, you're safe. Some people have posted "all posts > yours are automatically permanently ours" rules of usage -- but I > don't think EU law necessarily allows that, because GDPR rights may > very well be inalienable "creator's rights". I have no way to > evaluate these claims, but at the very least you have to worry about > frivolous claims (insert Michael Cohen/Rudy Guiliani joke here). > > Footnotes: > [1] If someone reading this thinks they know GDPR well enough to (1) > present basic concepts and risks (while liberally sprinkling IANALs and > TINLAs around) and IANAL > (2) point people at real lawyer blogs, But beware: there is a mini-industry of people who try to worry organisations and seek to advise you (at a fee - of course). -- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 https://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: https://www.phcomp.co.uk/contact.php #include <std_disclaimer.h> ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
