GDPR Compliance

[timlinux]

We at XXXXX are happy to be certified QGIS organisation and have been issuing many certificates this spring. However a question was raised about storing the personal data of attendees. As we are operating inside the EU we are subject to the GDPR (https://gdpr.eu/), and need to be careful handling personal data of our attendees. Do you have a privacy notice for the site https://changelog.qgis.org/en/qgis/ regarding attendee data? I was trying to look for documentation that would explain how you process personal data and how you apply data protection principles, but could't find any. We need to ask our attendees for permission to add their information in the certification system, and it would be helpful if we knew more about where the information is going, where it is stored and who can access it.

[timlinux]

@dimasciput please go and see what we need to have in place to be compliant with the GDPR and implement accordingly. Pop me a note if you need any content written.

[dimasciput]

Checklist for website GDPR compliant:

• [ ] Know the data you are holding To know how users' personal data is controlled, you have to know what personal data you hold. The following checklist provides the framework that you need to follow to be GDPR compliant.

  • What personal data do you already have?
  • Does the data include sensitive personal data?
  • Do you hold personal data from minors, who are below 16 years of age?
  • How long do you keep personal data?
  • Do you have consent to collect personal data? Where is it stored?
  • Why do you collect this data?
  • How is collected personal data processed?
  • Where is collected personal data stored?
  • Who has access to this data in your business?
  • Do any third parties hold personal data you collected? If yes, how do you control their usage of this data? Do you have any agreements on this?
  • Are there any third parties, holding your users' personal data, based outside the EU? If yes, are they aware of the GDPR? Do you have any agreements with them?

• [ ] Update privacy policy

• [ ] Secure the website

• [ ] Use a cookie banner

• [ ] Verify the age of your website users who consent to data processing

  The GDPR permits personal data processing for persons at least 16 years of age. To lawfully collect personal data from minors younger than that age, you must receive consent from the holder of parental responsibility for the minor.

  Thus, your website must have an age verification process to verify the age of users before collecting any data. If the website determines that the user's age is below 16 years, implement a separate parental consent process.

• [ ] Check forms on website

  • Include a privacy statement that explains why you’re asking for their details; what you’re going to do with them; and that they can withdraw consent at any time.
  • Add an opt-in option, such as an unticked checkbox or a disabled toggle switch to get user consent to collect data. Add a checkbox (or similar option) so that people can choose whether to receive correspondence from you or related services.
  • Preferably, add a link to the Privacy Policy for further information.

• [ ] Get consent for emails

  If you use email marketing services to send out newsletters or send emails for any other purpose to EU users, you need permission from your users to send these emails. The users have to give an opt-in to receive emails from you.

  Users should also have the possibility to opt-out of emails at any time. Provide an unsubscribe link in your email, easily found by the user. After the user clicks on it, it should take the user to a page where he may easily unsubscribe from emails without any justification.