-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GDPR #18067
Comments
So far it seems that we are pretty compliant. |
I think one of the key questions here is this: When a company includes files from jsDelivr on their website, are we in a position of a data processor for this company? I.e., do we need to provide a DPA so that this company itself stays GDPR compliant while using jsDelivr? I believe this is also what the question on Twitter was about. |
As you are processing the User IPs (which is declared as personal data and therefore handled under the GDPR) I guess you should be able to provide a DPA. (Cloudfare and MAXCDN provide them, too). @MartinKolarik you are right, this is what my Twitter question was all about. Until the 25th May the DPA actually have to be signed by hand. But this will be an outdated law than. So most of the companies just started to share pure digital DPA (which would be a lot easier to implement I guess). @jimaek thanks for opening the issue. |
We are not processing user IPs at the moment. |
Thanks for opening the issue. Let me first say we love the service you are providing. @jimaek, if you capture IP addresses in your log files, and download them as you describe above, then you do become a processor of personal data per GDPR definition. https://www.alstonprivacy.com/ecj-declares-ip-addresses-personal-data/ In that context, jsDelivr becomes a Sub-processor to us (developers who use your service), and we have to list jsDelivr in our DPA. As a result, each of us need to know; how long jsDelivr retains the data; how it is being used; who you share it with, and how we (on behalf of other customers) can ask you to delete it, and/or download it. Ideally, you would have an easy to read Privacy Policy stating all this. But having a privacy policy is not enough, as @chrtz points out, you need to provide a PDA, or alternatively stop collecting IP addresses. I should have mentioned one more thing. Instead of deleting the IP addresses upon collection, you could decide to mask them (pseudonymize them), such that they appear anonymous. That should get you off the hook. If your current collection is only for the purpose to register number of hits per file, that might be a much easier approach to take, in my opinion. |
We've already discussed this idea but unfortunately the IPs are being stored by our providers and we are not able to prevent that (technically we don't need the IPs at all) so we'll need to address this in other way. |
I think we did everything that we could and can close it. |
This topic will be used to follow the development of jsDelivr compatibility with GDPR
The text was updated successfully, but these errors were encountered: