Sorry it took me so long to reply to this. I wanted to do research and check with sources. It looks like someone has been putting out instructions that say "You need to use HTTPS for any page which mentions a name.".
On 8 Jun 2018, at 8:21am, Hick Gunter <h...@scigames.at> wrote: > The GDPR considers, inter alia, the full name of a person (=legal fiction > that includes human beings as well as legal constructs) is "sensitive data". I recommend you stay away from phrases like "full name" or "legal name". There's no such thing in the EU. To members of the public you can call yourself what you want as long as it's not done to further a crime. In the case of a code repository, where contributors know that everyone using the service for its intended function can see the name (nickname, handle, whatever) they supplied, you have no duty to keep that thing confidential during intended use. If you don't want to send someone's real name everywhere, don't insist on them supplying it. And if you're not going to use it for anything, you shouldn't be storing it. Should a contributor comment their code with something like "// I was drunk when I wrote the original for this function. Here's a better one." knowing that other users can see their comments, you have no duty to keep that information confidential either. You do have to take it out if they ask you to. So what you do is, when someone contributes code, make sure they give consent for whatever it is to be sent to anyone who uses the code repository. "Do you give consent for us to send your code with the username you signed up with to anyone using this repository ?". If they don't tick the box, the "Submit" button stays disabled. A good way to do this is to provide a short example of what users might see. If you didn't mention sending, say, email address when you asked for permission, you shouldn't be sending it /anywhere at all/ whether you're using HTTPS or not. > The GDPR considers, inter alia, transferring website contents as "processing". By saying that they understood that the information will be transmitted to other users for some purposes, they are giving permission for it to be third parties for those purpose. > The GDPR mandates, inter alia, that "sensitive data" be "processed" in a way > that "prevents unauthorized access". Yes. But as a website operator you are not expected to protect your visitor's privacy against anyone capable of hacking into undersea cables, their ISP, or a properly configured WiFi router. People supplying details they know can be sent to other parties over the web know you're not magic. > So if your Website contains the name of a person, the transfer has to be > encrypted. Clear enough? Only where there's expectation of privacy. Newspaper web sites can use HTTP even though their business consists of publishing people's names and personal details about them. There's no requirement for a newspaper site to insist on HTTPS. Some companies have a web page "Who are we ?" which shows names, titles and pictures of their staff. There's no requirement for a page like that to insist on HTTPS. Some companies have a "News" page which says "You'll be able to meet our monster AI programmer Lisa Richards at E3 on October 3rd.". There's no requirement for a page like that to insist on HTTPS. In the company examples, the company must secure permission from the relevant staff member before putting their name on a public page. This requirement existed for EU companies before the GDPR. Nothing changed. The statements in the rest of your post I have no problem with. Just your conclusion. Simon. _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
