Please do NOT post requests for help here. Use the Help forum for that.

TOPIC: GDPR Privacy Policy

GDPR Privacy Policy 7 months 1 day ago #1

  • potain
  • potain's Avatar
  • Offline
  • New
  • Posts: 81
Hello all.

I have received emails from several orgaisations (Google being one) regarding the EU's GDPR Privacy Policy which needs to be updated before May 25th. Had not know anything about it till now.

Please see en.wikipedia.org/wiki/General_Data_Protection_Regulation or www.sendinblue.com/gdpr/

Can you please let us know how this affects websites using webtrees and any guidelines specific to genealogy?

Have any changes been planned or implemented with regards to forms used for new user enrolments and other relevant areas as it relates new user rights and the provision of a Privacy Policy page that will be compliant with the new regulations?

Thank you.
Novice in all webtrees matters and in every respect
The administrator has disabled public write access.

GDPR Privacy Policy 7 months 1 day ago #2

  • bertkoor
  • bertkoor's Avatar
  • Offline
  • Gold
  • Greetings from Utrecht, Holland
  • Posts: 1462
Afaik the GDPR only applies to living people. So webtrees site admins don't have to do anything.

Oh, there is info stored about members, but nothing more than name & email address.
stamboom.BertKoor.nl runs on webtrees v1.7.9
The administrator has disabled public write access.

GDPR Privacy Policy 7 months 23 hours ago #3

  • Luenissla
  • Luenissla's Avatar
  • Offline
  • Junior
  • Posts: 129
Hello Bert, hello Potain, hello to all,

webtrees stores in its log: Timestamp, Type, Message, IP address, User, Family tree.
Similarly, the server also stores data about access: timestamp, IP adress, URL, referrer.
This is information about which visitors must be informed. What happens to it and how long are they stored? A visitor has the right in the future that his access data will be deleted.
So it does not just affect the stored genealogical data.
Best regards
Hans-Joachim (Lünenschloß)
The administrator has disabled public write access.

GDPR Privacy Policy 7 months 23 hours ago #4

  • fisharebest
  • fisharebest's Avatar
  • Online
  • Administrator
  • Posts: 10569
> Afaik the GDPR only applies to living people. So webtrees site admins don't have to do anything.

The problem is that most sites will also include living individuals...

webtrees can be configured to show *some* details of living living individuals.

For example, there is an option to "Show names of private individuals" - which shows the name (but no other details).

There is also "Show private relationships" - which will show family structure.

I do not know how many people use these two options. Perhaps it is time to remove them?
Greg Roach - This email address is being protected from spambots. You need JavaScript enabled to view it. - fisharebest.webtrees.net
The administrator has disabled public write access.

GDPR Privacy Policy 7 months 20 hours ago #5

  • eh215
  • eh215's Avatar
  • Offline
  • Junior
  • Posts: 155
Living and recently-deceased individuals that I maintain in my family tree are located outside the EU.

While I elect to not show names or details of private individuals, I switched settings a while back to begin showing private relationships because i was getting questions about why certain marriages & census info weren't showing up for individuals that were long-dead (because one of their children had only died within the last 20 years. I had one individual that died recently at age 102, her parents died in 1952 and 1980).

I may be willing to offer my few EU view-only visitors the option of not having their access tracked, but honestly, I receive far more visits from hackers in Russia, China, the Philippines, or India, than I do legitimate visits from the EU.

Eric
webtrees 1.7.11 at behunt.net/ft
PHP 7.0.31, MySQL 5.6.32-78.1
The administrator has disabled public write access.

GDPR Privacy Policy 7 months 19 hours ago #6

  • Luenissla
  • Luenissla's Avatar
  • Offline
  • Junior
  • Posts: 129
fisharebest wrote:
For example, there is an option to "Show names of private individuals" - which shows the name (but no other details).
There is also "Show private relationships" - which will show family structure.
I do not know how many people use these two options. Perhaps it is time to remove them?

No, please leave them as they are.

For the Bergische Datenpool the option "Show names of private individuals" is set to "Show to members"; the option "Show private relationships" is set to "hide to everyone".
These points are important, so that the data of living persons are not shown to all visitors, but only to the members after the registration. Otherwise, the contributors could not enter any data of living people.

The data protection regulation does not concern the stored genealogical data, but the data of the visitors and members when they view the page. (see my post above)
Best regards
Hans-Joachim (Lünenschloß)
The administrator has disabled public write access.

GDPR Privacy Policy 7 months 17 hours ago #7

  • fisharebest
  • fisharebest's Avatar
  • Online
  • Administrator
  • Posts: 10569
The GDPR allows use to collect/process personal data for research purposes.
Genealogy is a type of research.
Therefore we are allowed to collect/process data on living relatives.

But as I understand it, we cannot *publish* any information on living individuals (including the name/family structure) unless we have permission from the individual.

> No, please leave them as they are.
> For the Bergische Datenpool the option "Show names of private individuals" is set to "Show to members"; the option "Show private relationships" is set to "hide to everyone".

If we remove these options, then these will be the defaults.
The problem is if you set them to "show to visitors".

> Oh, there is info stored about members, but nothing more than name & email address.

Name & email address is *exactly* the sort of information that is covered by the GDPR.

> Similarly, the server also stores data about access: timestamp, IP adress, URL, referrer.
This is information about which visitors must be informed. What happens to it and how long are they stored?

Currently, we keep access logs forever.
We should only keep them for as long as is necessary. 180 days might be reasonable.

webtrees already obeys the "Do-Not-Track" header and will not add analytics/tracking codes to visitors who set this preference in their browser. So, we are OK here.

webtrees allows members to send messages to each other.
For GDPR, each user must opt-in to the receipt of these messages.
Greg Roach - This email address is being protected from spambots. You need JavaScript enabled to view it. - fisharebest.webtrees.net
The administrator has disabled public write access.

GDPR Privacy Policy 6 months 4 weeks ago #8

  • potain
  • potain's Avatar
  • Offline
  • New
  • Posts: 81
Thank you all for your contributions.

It's a bit confusing to me.

Might be best to approach this on methodical basis starting with the registration process and the Request new user account form (as this is the main personal data gathering area) and what opt-in options need to be added there so that users are adequately made aware of their new rights (if applicable) and give their consent.

Sendinblue: New rights for users

The GDPR has created new rights of access and data protection for “data subjects”:

Right to rectification: The data subject may request that their personal data be updated or corrected.
Right to be forgotten: The data subject may request that their personal data be permanently deleted.
Right to portability: The data subject may request that their personal data be sent to another organization or competitor.
Right to object: The data subject may object to specific types of processing or uses of their personal data.
Right of access: The data subject has the right to be informed of any and all of their personal data that has been collected, as well as its intended use.

From CNBC.com - conditions of consent

A major focus of GDPR is on conditions of consent which have been strengthened. So companies will not be able to use vague or confusing statements to get you to agree to give them data. Firms won't be able to bundle consent for different things together either.

"If you have a page of different consent, and saying by clicking here you consent to lots of things, that will be wrong, you need to be able to apply that consent individually," Harry Small, a partner at law firm Baker & McKenzie, told CNBC by phone.

Sendinblue: A new definition for consent

One of the big changes in the GDPR is the new definition of consent, which should now be “given freely” and provided in the form of a “positive action” for each planned use case involving the subject’s personal data.

Opt-out practices (whereby subjects are automatically subscribed to a list, leaving it up to them to unsubscribe) and passive opt-in practices (pre-checked boxes in subscription forms) are now prohibited under the new regulation.

Opt-in is now the only way to get explicit consent, and therefore the only legal way to obtain and use your customers’ contact information.

This means that from now on you must:

Provide additional opt-in forms for each of the different ways you plan to use personal data from your customers (e.g. newsletter, automated emails, profiling, etc.),
Ask your users for permission each time you want to use their personal data in a new way.

It is important to note that this new definition of consent also applies to the personal data of European residents collected before May 28th, 2018.

If you have already received consent for the use of this data, you do not need to ask for it again. However, if your current lists do not comply with the GDPR, you must ask for explicit permission from your contacts with the use of an opt-in form.

---> does this mean having to contact all EU existing, registered members and get them to fill out a new opt-in form / send it to all members irrespective or include it as part of the login?

Is the UK still in the EU?

*******

Then address conditions that apply to visitors - what is collected of them , I presume cookies etc... as well as the items brought up by Luenissla and others which I presume would be part of a Privacy Policy statement.

And then if at all possible develop a Privacy Policy with a common set of statements which we can all use, with an opt-in link (that obtains their consent) to that page prominent displayed on the opening page.

Hope that makes sense and that I am not complicating matters.

Just found a site that has a Guide to the General Data Protection Regulation (GDPR) - ico.org.uk/for-organisations/guide-to-th...ion-regulation-gdpr/ - it looks pretty comprehensive with checklists and approaches to take.

It lists eight individual rights.
Novice in all webtrees matters and in every respect
Last Edit: 6 months 4 weeks ago by potain. Reason: addtional info
The administrator has disabled public write access.
Do you need a web hosting solution for your webtrees site?
If you prefer a host that specialises in webtrees, the following page lists some suppliers able to provide one for you: 

GDPR Privacy Policy 6 months 3 weeks ago #9

  • bigwidower
  • bigwidower's Avatar
  • Offline
  • Junior
  • Posts: 132
Hi,

GDPR require that we include in our site a page called "privacy policy", that describes some informations such as what personal data we store about our visitors and how we protect these data.
Does anyone have an idea about the content of such a page as far as a webtrees site is concerned ?

GDPR also require that we add a "checkbox consent" in the contact form. Will this be added in an update?

thanks
webtrees v 1.7.9 for www.venarbol.net/borsodg
Hébergé par PlanetHoster
The administrator has disabled public write access.

GDPR Privacy Policy 1 month 1 week ago #10

  • richard
  • richard's Avatar
  • Offline
  • New
  • Posts: 15
I know this is an old post, but GDPR does not require that we do anything. It requires that 'organisations' comply with it. It specifically does not apply to individuals.
Have been dabbling in my family tree for years but had never used Webtrees until I used Webtrees 1.7.11 to to created my first Webtrees site in September 2018
underwoodfamilytree.com
Hosted on Linux server with PHP 7.0.32 and
10.1.35-MariaDB (updated to 10.2.18)
The administrator has disabled public write access.

GDPR Privacy Policy 1 month 1 week ago #11

  • bigwidower
  • bigwidower's Avatar
  • Offline
  • Junior
  • Posts: 132
No, GDPR is not only for organisations.

Every owner of a website, blog... in which users or visitors have to add personnal data (including a simple email address) to fill a contact form, to post a comment, to log to a "private" section, to receive a newsletter... is concerned.

In webtrees, my visitors have to login to access to private persons, visitors can also send a message to me, giving me their email address, so I am concerned with GDPR.

Regarding GDPR, I should be able to explain to them why I store their personnal data, what I do to protect them, how they can ask me to delete their data, what I will do if their data are stolen what GoogleAnalytics do with these data...


Nathalie
webtrees v 1.7.9 for www.venarbol.net/borsodg
Hébergé par PlanetHoster
The administrator has disabled public write access.

GDPR Privacy Policy 1 month 1 week ago #12

  • richard
  • richard's Avatar
  • Offline
  • New
  • Posts: 15
The Regulation itself is quite clear.

gdpr-info.eu/

Para 2 (a) This Regulation does not apply to the processing of personal data: in the course of an activity which falls outside the scope of Union law;

Para 2 (c) This regulation does not apply to the processing of personal data: by a natural person in the course of a purely personal or household activity;

Recital 18 (which explains Para 2 (c)) This regulation does not apply to the processing of personal data by a natural person in the course of a purely personal household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activities undertaken within the context of such activities.

Therefor GDPR does not apply to an individual person (as opposed to an organisation) conducting a personal activity that is not done professionally or for profit even if this is an online activity.
Have been dabbling in my family tree for years but had never used Webtrees until I used Webtrees 1.7.11 to to created my first Webtrees site in September 2018
underwoodfamilytree.com
Hosted on Linux server with PHP 7.0.32 and
10.1.35-MariaDB (updated to 10.2.18)
The administrator has disabled public write access.

GDPR Privacy Policy 1 month 1 week ago #13

  • kiwi
  • kiwi's Avatar
  • Offline
  • Platinum
  • Posts: 4918
I understand you will also find, if you study the detailed texts, that it does not “require that we add a “checkbox consent" in the contact form.”

For an organisation (only) it requires that a process of informed consent exists. It does not specify what that must be.
Nigel

www.our-families.info

Hosted at:
Follow me at:
The administrator has disabled public write access.
Moderators: makitso
Powered by Kunena Forum