GDPR

[jimaek]

This topic will be used to follow the development of jsDelivr compatibility with GDPR

[jimaek]

• jsDelivr does not have user accounts or stores any kind of personal data
• The only info we have is the raw logs we download from CDNs which includes IP addresses.
• We do not store the IPs after processing, we only store the hits per file

So far it seems that we are pretty compliant.
It remains to research what else we need to do. Different sources keep telling different things

[MartinKolarik]

I think one of the key questions here is this: When a company includes files from jsDelivr on their website, are we in a position of a data processor for this company? I.e., do we need to provide a DPA so that this company itself stays GDPR compliant while using jsDelivr? I believe this is also what the question on Twitter was about.

[chrtz]

As you are processing the User IPs (which is declared as personal data and therefore handled under the GDPR) I guess you should be able to provide a DPA. (Cloudfare and MAXCDN provide them, too).

@MartinKolarik you are right, this is what my Twitter question was all about.

Until the 25th May the DPA actually have to be signed by hand. But this will be an outdated law than. So most of the companies just started to share pure digital DPA (which would be a lot easier to implement I guess).

@jimaek thanks for opening the issue.

[jimaek]

We are not processing user IPs at the moment.

[ServicePal]

Thanks for opening the issue. Let me first say we love the service you are providing.

@jimaek, if you capture IP addresses in your log files, and download them as you describe above, then you do become a processor of personal data per GDPR definition.

https://www.alstonprivacy.com/ecj-declares-ip-addresses-personal-data/

In that context, jsDelivr becomes a Sub-processor to us (developers who use your service), and we have to list jsDelivr in our DPA.

As a result, each of us need to know; how long jsDelivr retains the data; how it is being used; who you share it with, and how we (on behalf of other customers) can ask you to delete it, and/or download it. Ideally, you would have an easy to read Privacy Policy stating all this. But having a privacy policy is not enough, as @chrtz points out, you need to provide a PDA, or alternatively stop collecting IP addresses.

I should have mentioned one more thing. Instead of deleting the IP addresses upon collection, you could decide to mask them (pseudonymize them), such that they appear anonymous. That should get you off the hook. If your current collection is only for the purpose to register number of hits per file, that might be a much easier approach to take, in my opinion.

[MartinKolarik]

I should have mentioned one more thing. Instead of deleting the IP addresses upon collection, you could decide to mask them (pseudonymize them), such that they appear anonymous. That should get you off the hook. If your current collection is only for the purpose to register number of hits per file, that might be a much easier approach to take, in my opinion.

We've already discussed this idea but unfortunately the IPs are being stored by our providers and we are not able to prevent that (technically we don't need the IPs at all) so we'll need to address this in other way.

[MartinKolarik]

First step: https://www.jsdelivr.com/privacy-policy-jsdelivr-net

[jimaek]

I think we did everything that we could and can close it.