How to comply with the GDPR ?

[urien]

Semantic forms allows personal data to be collected and linked. People should be informed when they create an account, procedures should be put in place to prohibit the collection of sensitive data (within the meaning of GDPR), and GDPR compliance documented.

[jmvanel]

Account creation warning

When the user creates an account, is it enough to display a suitable text, and which one ? Text would include "using this site implies acceptation of the following."

Collection of sensitive data

By design, SF collects RDF data that is already publicly available on the Web. But this is not OK with the GDPR. The data about a person other than the user should not be stored, even if that comes from FOAF profiles that are meant for sharing. This contradicts what is the essence of Linked Open Data, but we must comply ! :( . However, it is OK to have a triple with foaf:knows , and to display the remote person profile, but this data should not stored in database except with an explicit permission of the person publishing the FOAF profile. To enforce this, I see two possible mechanisms:

• ask the persons publishing a FOAF profile to create a SF account, and then they will associate the FOAF profile with their account
• keep track of the permission by email to be able to prove to regulation authority (CNIL in France) that the storage of personal is legitimate

Also, a user with a valid email ( see issue #208 ) can only publish one FOAF person: himself.

Besides data already publicly available on the Web, and data entered in forms by users, other mechanisms to load data in SF are:

• the /loadservice , not part of the web pages, which will be restricted to site administrator
• loading data directly in command line with the database scripts, of course restricted to the server administrator
• to be complete, it's also possible to add data with SPARQL UPDATE, although it's not convenient at all; this will be restricted to site administrator

GDPR compliance documented

Take inspiration from:

• CMS
• social media
• wikis
• GrottoCenter.org NOTE: there are 2 documents: one for the user, one for the regulation authority .

Search background information on GDPR & LOD

I found few things by searching the web for LOD linked data + "GDPR" , except these pages :

• (PDF) Legal aspects of linked data – The European frameworkhttps://www.researchgate.net › 27 sept. 2020 — Linked data is configuring a global data space of high ... The General Data Protection Regulation (GDPR) passed on 2016 April 14 in ...
• (PDF) Intellectual Property Linked Open Data Building Bridges ...https://www.researchgate.net › 19 août 2020 — patent documents to other linked open data (LOD) sources available on ... to potential General Data Protection Regulation (GDPR) restrictions.
• The Linked Data Showcase (LDS) pilot: the value of ...https://joinup.ec.europa.eu