Compatibility with GDPR

[avillegasn]

We need to check if we need to do something about it in the camptix-invoices plugin.

[iceablemedia]

From what I understand about GDPR, I don't think we need to do anything in the plugin , but site owners (and WordCamp Central in the case of wordcamp.org) will definitely need to have a GDPR-compliant privacy policy which takes into account:

• The personal data involved in the invoicing process for each attendee (name, email address, invoicing street address, vat number if applicable)
• The fact that these are stored in the website's database
• That they are not shared with anyone, and only the site owner (event organizer(s)) and related ticket owners have access to them
• For the purpose of providing an invoice to attendees who request one during purchase
• For probably X weeks/month after the event (to be determined by the site owner / event organizer)

Maybe we can add a notice as a reminder about these in the plugin or its documentation?

About the last point, I wonder if camptix allows to delete tickets/attendees information at some point after the event. If so we could allow invoices and associated data to be deleted at the same time. Otherwise we could leave it to the site owners to manage data on their site, and delete them when appropriate.

[iandunn]

I can't think of any implications GDPR has in this context, since we're not collecting any additional data, or providing it to any new parties. @coreymckrill, @vedanshujain, can you think of anything?

[coreymckrill]

It looks like there is potentially some additional data that this plugin collects that we'd need to include in data export/erasure requests.

• Email address that the invoice will be sent to. Assuming this is generally the email address of the ticket purchaser, who is usually an individual rather than a business.
• Street address that gets included in the invoice document that is created. Assuming this is generally the street address of the ticket purchaser, who is usually an individual rather than a business.
• VAT number?

We'll need to make sure those fields get hooked into the relevant wp_privacy_ hooks.

[avillegasn]

I've added the code that adds invoice data in the data export request. But for the erasure request, I'm not sure if it is legally correct to allow erasing/anonymizing invoices. As far as I know, invoices shouldn't change/be removed once they are issued (even if a person asks us to do it). Let me know what you think about this @coreymckrill