GDPR Compliance

[rafalp]

This is meta-issue for tracking Misago's complicance with GDPR.

CHECKLIST

• [x] Right to remove data from site - Misago 0.17 shipped with option for users to delete their own account.
• [x] Right to be forgotten - Misago 0.17 anonymizes user data when their account is deleted.
• [x] Right to know what personal data is processed - Misago needs to provide tool for admins to export user data to neat package that may then be sent to user.
• [x] Explicit consents - Misago should let site administrators to define custom consents for their users to see, accept, opt in or opt out.
• [x] Make IP store temporary - Misago should have an option for IP addresses to be stored only specified amount of time and anonymized after this time passes.
• [x] Prune unused accounts - Misago should have an option for user accounts to be deleted after specified amount of time if account never posted anything and doesn't belong to "protected" group: is staff/already scheduled for deletion/has non-deletable rank.

[ghost]

Hey @rafalp! I try to help but I am new to Django and need to know how you imagine the integration on those tasks :

• Cookie Warning (https://github.com/TyMaszWeb/django-cookie-law)
• Versionable Legal (as there is a new version every user need to sign it again.)
• Support export of own user data (which format; maybe only when the user wants to delete his account and data?!)

[rafalp]

Hey!

Cookie Warning

You don't need cookie warning, only inform about cookies in your privacy policy.

Versionable Legal (as there is a new version every user need to sign it again.)

On roadmap for Misago 0.19. I already have this laid out in my head, and it amounts to:

We will record time and contents of agreement when user has given it, together with copying that agreement in shape it was when user has given it, to database.

We will also provide an option between agrement's level of importance: ergo just notify user, or require user to agree or remove their data.

Support export of own user data (which format; maybe only when the user wants to delete his account and data?!)

Per GDPR You must be able to provide user with data export in reasonable time following their request. You cannot tie data export to account deletion or require payment for this export (other than, eg. postal costs for sending them letter with exported data).

Misago will export data to compressed archive containing JSON files with your profile, posts, likes, etc ect that we will then e-mail the download link to to your address.

[ghost]

Ok. Can I help you with any of the above tasks so I can practise my django skills ?

[rafalp]

The checklist is not done.