GDPR law - Seafile ready?

Cardiak · April 10, 2018, 5:12am

@daniel.pan I’d really appreciate it if admin had option to disable all tracking (IP, user agent etc)
Also I think that the Storage Encryption Backend would also be available on the CE.

marcusm · April 10, 2018, 6:29am

Or at least - and much more important - to delete his Information from the audit log (IP, metadata) after the user is deleted (as an extra option) and as @DerDanilo said it should be easy to do.

Maybe an option to disable the tracking for just some users but you’d still have the web server logs, so i don’t think this is needed as long as the user is using this system he needs to know that such things will be logged - But can easily be removed if he doesn’t use it anymore.

And a feature to export all that information about one user in the seafile system would help too, since the customer/user has the right to know which data is collected, so if the admin can click just one button and will receive a ZIP with all the Information about that user (like Google does it too).

DerDanilo · April 10, 2018, 7:36am

@daniel.pan

As found in another forum:

The TL:DR for GDPR is that if you use personally identifiable information about a citizen of the EU you need to comply with it completely by May 25th 2018.

There needs to be a valid legal basis for processing personally identifiable informaion. Systems have to protect the rights of data subjects, Privacy notices must be adequate. Security of data and backups needs to be clearly documented and privacy and data protection should be by design. To my mind this rules out a lot of current cloud solution providers. It rules out backups being convenently dumped in cloud storage (unless encrypted). It rules out using dropbox or google cloud storage or AWS or icloud to store personally identifiable information. It is important therefore to act on GDPR now. Even if one EU citizen uses your product or service the product or service must comply with GDPR.

daniel.pan · April 10, 2018, 7:55am

This feature will be added in the next release.

Cardiak · April 10, 2018, 10:12am

what about general setting for admins that would allow them to delete whole logging/limit it. I would really appreciate that. Also I think that would bring some users that have privacy as number 1 priority

gauburtin · April 15, 2018, 11:01am

Hi,

I noticed that someone posted an interesting feature request on termes and conditons that may be related to this discusson on GDPR.

Regards

GITchristoph · May 12, 2018, 7:17am

Hi @daniel.pan
Has the feature already been added?
Maybe only in the Pro Version?

daniel.pan · May 12, 2018, 8:19am

It will be included in the next release 6.3.

marcusm · May 12, 2018, 8:27am

Do you know how long we will have to wait for the new Version?

daniel.pan · May 12, 2018, 8:47am

The new version will be ready within a few weeks.

DerDanilo · May 12, 2018, 11:10am

By law Software needs to be compliant by the 25th may 2018.
We have to shut down Seafile theoretically until there is a solution in place.
A few weeks from now is not good enough. This was known for a long time already. I don’t get why it was not implemented earlier.

daniel.pan · May 12, 2018, 12:37pm

The login log of the user can be removed from database manually via SQL. So in theory, you don’t break the law if you manually delete it if the user request.

wthess · May 12, 2018, 5:32pm

I’m in the US, so I’m not as familiar with the law, but I’m certain at some point, a similar law will be passed here.

So, my question is this. Does the law also apply to an individual that hosts their own data? What about an individual that runs Seafile out of their home but has a couple of friends that use it? What about non-profit organizations? Where is that line in the sand between private and public?

m_ueberall · May 13, 2018, 5:33pm

@wthess, you might want to have a look at

https://en.wikipedia.org/wiki/General_Data_Protection_Regulation (for a short overview)
https://eur-lex.europa.eu/eli/reg/2016/679/oj (for the regulation itself)
https://www.itgovernance.eu/blog/en/expert-gdpr-qa-the-material-scope-of-personal-data-and-legal-implications (for Q&A)

In short: GDPR directly pertains to data collection, therefore both non-profit and charitable organizations have exactly the same obligation to abide by GDPR as any other corporation. However, its scope excludes data processed by natural persons for purely personal reasons.
Please note, though, that IANAL and you should always double-check statements.

GITchristoph · May 23, 2018, 2:20pm

How could we/I add some policy or terms of usage to the Seafile website?
So that if people get on the website, that they can see our terms and conditions.

bionade24 · May 23, 2018, 4:50pm

There a serveral APIs in the manual, with them you can create a custom login.

GITchristoph · May 23, 2018, 6:52pm

Cool, can I ask which API you used and how?

DerDanilo · May 23, 2018, 7:59pm

We need something like this in the Seafile Admin Interface. Be able to search for specific objects, IPs etc. in the DB. No fiddeling with the DB should be required.

GITchristoph · May 23, 2018, 8:18pm

I agree

DerDanilo · May 24, 2018, 7:53am

Very good idea. Almost forgot. This can break one’s neck in certain situations.

It should be possible to set a custom url to one’s terms and conditions in the admin panel/config files.

@daniel.pan Could you please add this option and add the link for it to the footer of the Seafile Web UI!? Should be a simple change as it’s mostly adjustment in the theme files.

Thanks!