New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GDPR #18067

Closed
jimaek opened this Issue Apr 20, 2018 · 8 comments

Comments

Projects
None yet
4 participants
@jimaek
Copy link
Member

jimaek commented Apr 20, 2018

This topic will be used to follow the development of jsDelivr compatibility with GDPR

@jimaek

This comment has been minimized.

Copy link
Member

jimaek commented Apr 21, 2018

  • jsDelivr does not have user accounts or stores any kind of personal data
  • The only info we have is the raw logs we download from CDNs which includes IP addresses.
  • We do not store the IPs after processing, we only store the hits per file

So far it seems that we are pretty compliant.
It remains to research what else we need to do. Different sources keep telling different things

@MartinKolarik

This comment has been minimized.

Copy link
Member

MartinKolarik commented Apr 21, 2018

I think one of the key questions here is this: When a company includes files from jsDelivr on their website, are we in a position of a data processor for this company? I.e., do we need to provide a DPA so that this company itself stays GDPR compliant while using jsDelivr? I believe this is also what the question on Twitter was about.

@chrtz

This comment has been minimized.

Copy link

chrtz commented Apr 24, 2018

As you are processing the User IPs (which is declared as personal data and therefore handled under the GDPR) I guess you should be able to provide a DPA. (Cloudfare and MAXCDN provide them, too).

@MartinKolarik you are right, this is what my Twitter question was all about.

Until the 25th May the DPA actually have to be signed by hand. But this will be an outdated law than. So most of the companies just started to share pure digital DPA (which would be a lot easier to implement I guess).

@jimaek thanks for opening the issue.

@jimaek

This comment has been minimized.

Copy link
Member

jimaek commented Apr 24, 2018

We are not processing user IPs at the moment.

@ServicePal

This comment has been minimized.

Copy link

ServicePal commented Apr 30, 2018

Thanks for opening the issue. Let me first say we love the service you are providing.

@jimaek, if you capture IP addresses in your log files, and download them as you describe above, then you do become a processor of personal data per GDPR definition.

https://www.alstonprivacy.com/ecj-declares-ip-addresses-personal-data/

In that context, jsDelivr becomes a Sub-processor to us (developers who use your service), and we have to list jsDelivr in our DPA.

As a result, each of us need to know; how long jsDelivr retains the data; how it is being used; who you share it with, and how we (on behalf of other customers) can ask you to delete it, and/or download it. Ideally, you would have an easy to read Privacy Policy stating all this. But having a privacy policy is not enough, as @chrtz points out, you need to provide a PDA, or alternatively stop collecting IP addresses.

I should have mentioned one more thing. Instead of deleting the IP addresses upon collection, you could decide to mask them (pseudonymize them), such that they appear anonymous. That should get you off the hook. If your current collection is only for the purpose to register number of hits per file, that might be a much easier approach to take, in my opinion.

@MartinKolarik

This comment has been minimized.

Copy link
Member

MartinKolarik commented Apr 30, 2018

I should have mentioned one more thing. Instead of deleting the IP addresses upon collection, you could decide to mask them (pseudonymize them), such that they appear anonymous. That should get you off the hook. If your current collection is only for the purpose to register number of hits per file, that might be a much easier approach to take, in my opinion.

We've already discussed this idea but unfortunately the IPs are being stored by our providers and we are not able to prevent that (technically we don't need the IPs at all) so we'll need to address this in other way.

@MartinKolarik

This comment has been minimized.

Copy link
Member

MartinKolarik commented May 1, 2018

@jimaek

This comment has been minimized.

Copy link
Member

jimaek commented Aug 4, 2018

I think we did everything that we could and can close it.

@jimaek jimaek closed this Aug 4, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment