Status on GDPR compliance ? #8820
Comments
|
Hi @rzr - great question. Mattermost is compliant with EU GDRP and we're working through the following:
|
|
Excellent keep us posted |
|
This is totally not true, Mattermost currently lacks following technical capabilities to fully support GDPR (unless I missed something):
So it's not looking like I'm only criticizing, here's what's done exceptionally well:
Keep doing the good work, you're system is amazing, - but fix the stuff that I mentioned please as we're getting first requests to offload users and it's a pain currently :/ |
|
@sokoow - when you say dropping records off the DB for offloaded users causes problems, was that using the platform user delete CLI tool or doing it manually? |
|
Ah, I totally missed that CLI option! :D We were doing it manually, and yes, managed to snooker things this way. Is the CLI way safe to use ? Are you planning to extend that option to GUI as well, like you did with disabling users (fair play) ? |
|
It's probably "safer", but generally we recommend making sure to back things up before making any database changes just in case, so I don't think there's any current plans to add it to the GUI. |
|
One more thing - upon closer system inspection, we noticed that there's another place where user generated data is being stored, it's the data directory, which holds pictures, avatars and attachments that users added to the system. Do you have any selective way to offload that content too - does platform delete command take care about this ? |
|
The command doesn't delete content from the data directory. However, all file uploads include a |
|
Cool, that's useful information thank you. |
|
Currntly, Mattermost provides tools to delete users and posts, and make sure proper passwords and encryption are in place. This is all great, and needed for GDPR, but some things are missing, also from your GDPR compliance statement. As far as I understand, GDPR requires a website or service to:
I am struggling to collect this data from our users and manually process deletes/activations and cleanups. Are there plans to add these possibilities to Mattermost so that we can legally keep using it in Europe? Can we help? |
|
Hi @realrolfje - letting you know that I've reached out to our Product Managers regarding your questions and we'll get back to you soon. |
|
Thanks! I noticed that my former post was not entirely clear about people who registered before the GDPR invocation date: Our existing, pre-registered users all need to receive an email with a link which explains the new terms, and contains a way to explicitly re-affirm their consent. If they do not approve, or explicitly decline, we need to remove their data. It would really help if Mattermost provided tools to easily facilitate this, particularly for installations with large user bases. |
|
@realrolfje - Giving you an update that our product managers are still looking at this and I'm hoping to hear feedback from them soon. Thank you for your patience! |
|
Thanks @realrolfje for your excellent question. And sorry for the extended delay.
Let us know if this helps, and if we can clarify any of the above? Note that the personal data (in this case your email) isn't used for marketing purposes and no other personally identifiable data is collected. So this is different from other services like websites which can collect information via cookies. |
|
Dear Jason, thanks for the answer but this does not answer my question and to my knowledge does not cover GDPR.
The GDPR includes high fines (depending on the situation up to EUR 20 million or 4% of the annual global turnover, whichever is the highest) and generally aims to enhance the enforcement by national data protection authorities. Stricter enforcement is to be expected. This can become (strictly spoken already is) a big deal for European Mattermost installations. |
|
Hi @realrolfje,
Disclaimer: I am just a contributor, and not a lawyer. |
|
I'm not a lawyer either and I see a lot of different solutions of companies and people struggling with this, as am I ;-) I guess in our case we have a gray area where we are in a hobbyist situation, but the server runs in a virtual machine which is provided free of charge by a company. Also, the members can voluntarily contribute to the running costs of all systems (not just Mattermost), and the user base is over 600 users now. Uptime is really high with aggressive backup schemes and Telegram/IRC bridges. It doesn't feel all that "hobbyist" anymore :-) . We don't want to get into the situation where we need to take down the server for everyone. I can write something myself, but since all Mattermost instances in Europe will have this problem, I think it needs to be added to Mattermost itself. Mattermost can already mail users, it knows who's active, and can administrate who clicked which link in the mail. I think a mail with the GDPR policy (what is used and how), with three links called "I want to stay", "I want to leave, but you can keep my posts" and "delete all my data" would be enough. I'm not entirely sure wether it is required to disable users and have them confirm to re-activate, and I am also not sure about how to deal with inactive users which are still in the database. In our case we have our own GDPR statement and privacy policy, a link new registrars need to click before landing on a registration page, and also a link to the original Mattermost Privacy Policy for full disclosure. For new users I think we can make a case that they at least had the chance to read all that, and confirmed by clicking the link. You can see that page here (sorry it's in Dutch). I hope we can find a practical solution which fits the GDPR well enough so that European Mattermost installations can stay up and running without too much trouble. I'd be happy to help, not all that experienced in golang I'm afraid. |
|
Thank you for the open feedback! I'll do some more research on this and get back to you. We want to get it right as well.
The privacy policy with full disclosure on account creation page was also there prior to GDPR being launched. Also, another point is that the software doesn't collect, share or otherwise use personal information - except for the email address I suppose. With that said, we are working on the ability for users to deactivate themselves. It's almost finished and releasing soon. Although it's not a full delete, it would automatically stop sending email notifications for instance mattermost/mattermost-webapp#1152 |
|
Hi Jason, not to be a pain, but I guess Mattermost does collect personal information, namely: Required:
Optional:
Having said that, I did see a couple of mails from services I registered at (for free) which do not do the "disable account and re-register to enable" trick (GitHub being one of them). They just sent out a mail to all users linking to the new GDPR privacy policy explaining their options. So maybe I'm overthinking this, but I am not a lawyer either. I'll try to see if I can find other info or help in my professional network. |
|
Thanks @realrolfje! Yea, this is also on my list to look into further. But from what I've seen, no app has required my consent so far (though I'm not based in Europe, so the experience might be different) Appreciate all the info and feedback thus far! |
|
@realrolfje @DSchalla I thought about this more, and I think Mattermost covers GDPR requirements (which are also documented here) 1 - The privacy policy with full disclosure on account creation page was also there prior to GDPR being launched, and didn't change. So the privacy policy someone agreed to in 2015 was the same as May 2018 when GDPR launched. 2 - The privacy policy can be customized by every system, which gives more control for every organization to update it as needed. 3 - The information collected (anonymous username, and email) isn't used for any marketing, advertisement or other promotional services. Same for the other information. 4 - Moreover, a user has the right to request their account and all related information to be deleted - which an admin can do via the command line tool. 5 - - Finally, from my understanding, consent to the terms of service or privacy policy every 12 months is not required for GDPR. The one thing that comes to mind is that when/if an admin updates the privacy policy, we offer a recommendation that they share those updates with all their users. An at-all in Town Square or another announcement channel with a link to the privacy policy should suffice. Let me know what you think? Again, appreciate your thoughtfulness on this matter thus far. |
|
Closing issue as there have been no recent conversations or comments on Jason's last comment. |
I am wondering if mattermost complies to current EU regulation regarding privacy, it yes this it would be nice to know how did you manage to, if not then it could make sense to align implementation with other FLOSS projects and converge into a common architecture/interface.
For reference:
https://www.eugdpr.org/eugdpr.org.html
The text was updated successfully, but these errors were encountered: