GDPR Compliance Guide
The General Data Protection Regulation is an EU regulation concerning the processing of EU residents data.
For reference, entire regulation can be read on the EUR-Lex.
Data is a burden
Make sure you keep as little of what can be considered personal data, as possible.
Data processing starts with user registering on your site. Even if they failed to activate their account, you are now processing their e-mail address, username and IP address. Make sure you are peridically deleting old IP address and inactive user accounts - use the
deleteinactiveusers management commands or run them in your
cron to prevent amount of data processed growing uncontrollably.
Because user data embed in posts is impossible to delete or anonymize automatically, update your forum rules to advise users against posting photos, addresses or other personal data outside of their profiles.
Automation vs administrator action
GDPR doesn't require the site to provide options for users to exert their rights. For example, you don't have to provide a feature in user control panel enabling user to delete their account if you don't want to. "To delete your account please contact the administrator" in your privacy is good enough, under the condition that you will delete user's account after reach out to you with such request.
Articles 12 to 14 of GDPR require site administrators to inform the users about following:
- Who is data administrator on the site, where are they located and how can they be contacted.
- What kind of personal data is being processed by the site, why, for how long, who has access to it and how is it being protected.
- Where is data being storer physically, which company are servers leased from.
- That they have the right to know what data about you is being held and processed.
- That they have the right to rectify any inaccurate personal data.
- That they have the right to be forgotten.
- That they have the right to restriction of processing.
- That they have the right to object to processing.
Right of access
Paragraph 3 of article 15 grants site users right to receive the copy of their personal data being processed. You can enable users to do this themselves using the
MISAGO_ENABLE_DOWNLOAD_OWN_DATA setting or direct them to site administrator, who can trigger data downloads for them from admin control panel.
Right to be forgotten or object
Articles 17, 18 and 21 grant your users a right to delete and anonymize their data.
Admin control panel provides an option for administrator to delete only user account, or user account together with content associated with it such as threads, posts or attachments. If you wish to, you may enable users to delete their accounts using the option on their options page. Users may also delete their accounts when new agreement becomes active. In case when user account is deleted by user, their posted content is left behind.
When user account is deleted, Misago attempts to automatically anonymize any user data left behind, but its unable to delete/anonymize user embed in user posts.