The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
The first step for admin is to communicate clearly what personal data is collected and stored in Seafile.
For the community edition, the list is
- the files (stored in libraries)
- the user email and user name
- the login log
For the pro edition, the extra information include
- the file access log (default is turned off)
- the file activities (which is a basic function of the system)
- the search index stored in Elastic Search server
I think the Seafile software itself is not far from GDPR compliant.
If a user ask you to erase his/her data, you can delete its account and libraries, run GC to remove all deleted libraries from persistent storage. The login log of the user from database manually via SQL.
For the community edition, the only thing missing is login log, do we need to make it opt out on a user basis? Does not the user need to know the login history for security audit?